IBM PC and Compatibles Virus Alerts

Download the latest SDAT/DAT
Archived PC Alerts1999-2002

W32/MyWife.d@MM!M24
(aka Blackworm)
Jan. 26, 2006

Platform: Windows 95/98/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4682 (released 1/25/2006)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_138027.htm
http://www.sophos.com/virusinfo/analyses/w32nyxemd.html (Sophos)
http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html (Symantec)
http://isc.sans.org/blackworm (SANS ISC)
Symantec Blackmal removal tool

Be on the alert for a new worm being called Blackworm, that spreads via email attachments or file shares. The email claims to contain obscene pictures and sex movies. The threat is rated low by McAfee but has been receiving some press lately.

It has a data destroying payload set to trigger on February 3rd (and the 3rd of any month). Blackworm destroys DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP files by replacing their contents with the string:

DATA Error [47 0F 94 93 F4 K5]

Blackworm is also called W32/MyWife.d@MM!M24 (McAfee), W32/Nyxem-D (Sophos) and W32.Blackmal.e@mm (Symantec). It has been assigned CME-24. See http://cme.mitre.org/ for other aliases for Blackworm.

Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.

The worm also:

Turns off anti-virus applications
Sends itself to email addresses found on the infected computer
Deletes files off the computer
Forges the sender's email address
Uses its own emailing engine
Downloads code from the internet
Reduces system security
Installs itself in the Registry

WHAT TO DO

McAfee released DAT files to detect this threat. It is very important to keep your anti-virus DAT files current, as updates/enhancements are released daily. You will need McAfee DAT 4682 (released 1/25/06) or later to detect W32/Mywife.d@MM!M24.

It is advised that you update your DAT files to the current version, scan all files on your local hard drives, and ensure that your fileshares have strong passwords. Disable filesharing, if not needed.

EMAIL COMPONENT

The worm arrives via email with a spoofed FROM address and a PIF or a MIME-encoded attachment.

SUBJECT: includes one of the following or may be blank

Photos
My photos
School girl fantasies gone bad
Part 1 of 6 Video clipe
*Hot Movie*
Re:
Fw: Picturs
Fw: Funny :)
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Fw:
Fwd: Crazy illegal Sex!
Fw: Real show
Fw: SeX.mpg
Fw: DSC-00465.jpg
Re: Sex Video
Word file
the file
eBook.pdf
Miss Lebanon 2006
A Great Video
give me a kiss

BODY: (varies, such as)

Note: forwarded message attached.
You Must View This Videoclip!
>> forwarded message
i just any one see my photos.
forwarded message attached.
Please see the file.
----- forwarded message -----
The Best Videoclip Ever
Hot XXX Yahoo Groups
F***in Kama Sutra pics
ready to be F***ED ;)
VIDEOS! FREE! (US$ 0,00)
It's Free :)
hello,
i send the file.
bye
hi
i send the details
i attached the details.
how are you?
What?
Thank you
i send the details.
OK ?

ATTACHMENT: may either be an executable itself or a MIME-encoded file which contains the executable.

The executable filename is one of the following:

04.pif
007.pif
School.pif
photo.pif
DSC-00465.Pif
Arab sex DSC-00465.jpg
image04.pif
677.pif
DSC-00465.pIf
New_Document_file.pif
eBook.PIF
document.pif

The MIME-encoded filename is one of the following:

SeX.mim
Sex.mim
WinZip.BHX
3.92315089702606E02.UUE
Attachments[001].B64
eBook.Uu
Word_Document.hqx
Word_Document.uu
Attachments00.HQX
Attachments001.BHX
Video_part.mim

W32/Mywife.d copies itself with some of the following filenames:

< Windows>\Rundll16.exe
< System>\scanregw.exe
< System>\Winzip.exe
< System>\Update.exe
< System>\WinZip_Tmp.exe
< System>\New WinZip File.exe
movies.exe
Zipped Files.exe

NETWORK SHARE COMPONENT

The worm will attempt to copy itself to the following shares, using the current user's authentication:

C$\documents and settings\all users\start menu\programs\startup\winzip quick pick.exe
Admin$\winzip_tmp.exe
C$\winzip_tmp.exe

The worm creates scheduled tasks to run winzip_tmp.exe during the 59th minute of every hour.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

W32/Sober@MM!M681
(aka W32/Sober-Z (Sophos))
November 23, 2005

Platform: Windows 95/98/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4635 (released 11/23/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_137072.htm
http://www.sophos.com/virusinfo/analyses/w32soberz.html (Sophos)
Stinger removal tool (v2.5.9, 11/22/05)

As reported yesterday, a new Sober email virus variant is circulating around the Internet with a spoofed FROM address (examples reported include hostmaster@hawaii.edu, postman@hawaii.edu, admin@yahoo.com, admin@cia.gov) and a ZIP attachment.

McAfee has raised the risk threat to MEDIUM to due increased prevalence. Please update your McAfee DAT to 4635 (released 11/23/05) to detect this threat.

The Stinger removal tool (v2.5.9, renamed stng259.exe) has been updated (11/22/05) to detect this threat. Download Stinger from http://vil.nai.com/vil/stinger/ and run it if you suspect that your computer has been infected.

The attachment is one of the following:

reg_pass-data.zip
reg_pass.zip
question_list.zip
mailtext.zip
mail_body.zip
mail.zip
list.zip
email_text.zip

Here are samples of the Sober virus email:

Subject: hi, ive a new mail address
Body:
hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not
sure!

plz read and check ...
cyaaaaaaa

Subject: Registration Confirmation
or
Subject: Your Password
Body: Account and Password Information are attached!

Subject: Paris Hilton & Nicole Richie
Body:
The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more ;)
Download is free until Jan, 2006!

Please use our Download manager.

Subject: You visit illegal websites
Body:
Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison

++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505

++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time

Subject: You visit illegal websites
Body:
Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

Subject: Registration_Confirmation
Body:
Protected message is attached!

***** Go to: http://www.your_domain
***** Email: postman@your_domain

The virus also sends email messages in German.

When the attachment is opened, a fake error message "error in packed header" is displayed. The virus creates a directory, WinSecurity, in %Windir%, the default Windows directory (c:\windows or c:\winnt). It copies itself as the following files:

%Windir%\csrss.exe
%Windir%\WinSecurity\services.exe
%Windir%\WinSecurity\smss.exe

It creates MIME-encoded .ZIP files that contain a copy of the worm:

%Windir%\WinSecurity\socket1.ifo
%Windir%\WinSecurity\socket2.ifo
%Windir%\WinSecurity\socket3.ifo

It creates other non-malicious files in %Windir%\WinSecurity and %System%, the default System directory (c:\windows\system for Win95/98/ME, c:\Winnt\System32 for WinNT/2000, c:\Windows\System32 for WinXP).

Two registry keys are created to load the worm on startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "_Windows" = C:\WINDOWS\WinSecurity\services.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run " Windows" = C:\WINDOWS\WinSecurity\services.exe

It gathers email addresses from files on the infected computer and attempts to terminate processes including McAfee's Stinger removal tool. See virus description for the list of processes.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

W32/Bagle.ck
(aka Troj/BagleDL-U (Sophos))
September 19, 2005

Platform: Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4585 (released 9/19/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_136039.htm
http://www.sophos.com/virusinfo/analyses/trojbagledlu.html (Sophos)

A new Bagle variant was mass spammed today. It arrives via email as a .ZIP attachment with filename including the word "price" (price.zip, price2.zip, newprice.zip, 09_price.zip, etc.). Other similar Bagel variants were also mass spammed today.

This variant copies itself to the Windows system folder (c:\windows\system32, c:\winnt\system32, c:\windows\system) as WINSHOST.EXE and adds the following registry hooks:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "winshost.exe" = C:\WINDOWS\System32\winshost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "winshost.exe" = C:\WINDOWS\System32\winshost.exe
HKEY_CURRENT_USER\Software\FirstRun (infection marker)

It drops a file wiwshost.exe in the system directory. This file gets injected into the EXPLORER process and tries to download a file osa6.gif from various sites.

It attempts to terminate processes and services and to delete registry entries related to security and antivirus programs.

It overwrites the HOSTS file with the following single line, overwriting any settings:

127.0.0.1 localhost

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

W32/IRCbot.worm!MS05-039
(aka W32.Zotob.E (Symantec), W32/Tpbot-A (Sophos))
August 16, 2005

Platform: Windows 2000
Risk Assessment: High
Minimum VirusScan DAT: 4560 (released 8/16/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_135491.htm
Stinger removal tool: v2.5.6 (8/16/05)

The W32/IRCbot.worm!MS05-039 spreads via IRC (Internet Relay Chat) and via the network by exploiting Windows systems unpatched for the MS05-039 Plug and Play (PnP) vulnerability.

You must patch your Windows system or your system will get reinfected! There are many worms exploiting the MS05-039 PnP vulnerability. (See War of the Worms).

To Patch Your Windows System

Open Internet Explorer and go to http://windowsupdate.microsoft.com and install all critical updates.

If you are having problems with the windowsupdate site, download the MS05-039 patch from:

http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

Be sure to click on the right link for your operating system.

You may use the Stinger removal tool (dated 8/16/05) to scan your hard drive for this worm. Remember patch first, update your DAT and then scan your hard drive.

The worm can run on, but not infect, computers running Windows 95/98/ME/NT4/XP. Although these operating systems can not be infected, they can still be used to infect vulnerable computers that they connect to.

The worm is designed to contact a remote IRC server and wait for further instructions from the hacker.

When the file is run the virus copies itself in the Windows System directory as wintbp.exe. The file can be run automatically by exploiting the MS05-039 vulnerability or by a hacker directly executing the worm.

Registry keys are created to load the worm at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "wintbp.exe" = wintbp.exe

The infected computer scans the network for Windows computers unpatched for the MS05-039 vulnerability on tcp port 445. When a vulnerable system is found, it uses a buffer overflow to write the worm to the computer via a TFTP upload on port 8594.

The infected computer may become unstable and reboot.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

W32/Zotob-A and W32/Zotob-B (Sophos)
(aka W32/Zotob.worm)
August 15, 2005

Platform: Windows 2000
Risk Assessment: Low
Minimum VirusScan DAT: 4558 (released 8/15/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_135433.htm
http://www.sophos.com/virusinfo/analyses/w32zotoba.html (Sophos)
http://www.sophos.com/virusinfo/analyses/w32zotobb.html (Sophos)
http://www.f-secure.com/v-descs/zotob_a.shtml (F-Secure)
http://www.f-secure.com/v-descs/zotob_b.shtml (F-Secure)

The W32/Zotob-A worm exploits the MS05-039 plug and play vulnerability (KB899588); the security bulletin was issued by Microsoft on August 9, 2005. Details and patches are available at http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx. A remote attacker could exploit the vulnerability and take complete control of the affected system. Windows 2000 systems are primarily at risk.

Note: All Windows systems should be updated with the latest round of Windows patches released by Microsoft on August 9, 2005. Open Internet Explorer and go to http://windowsupdate.microsoft.com. Apply all critical patches.

W32/Zotob-A spreads via the network by scanning for vulnerable unpatched systems on destination tcp port 445, exploiting buffer overflow vulnerabilities, including LSASS (MS04-011) and PnP (MS05-039). It runs continuously in the background. It provides a backdoor server allowing a remote hacker to gain access and control over the computer.

Spreading using Plug and Play service vulnerability
(From F-Secure http://www.f-secure.com/v-descs/zotob_a.shtml)

The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445.

It creates 300 threads that connect to random IP addresses within the B-class (255.255.0.0) network of the infected system. First it tests connection to port 445 and if successful, it tries to exploit the vulnerability. If the attack is successful a shell (cmd.exe) is started on port 8888. Through the shell port, the worm sends a ftp script which instructs the remote computer to download and execute the worm from the attacker computer using FTP. The FTP server listens on port 33333 on all infected computers with the purpose of serving out the worm for other hosts that are being infected. The downloaded file is saved as 'haha.exe' on disk.

Here's the summary of the ports used in attack:

Port 445 - The worm scans for systems vulnerable to PnP exploit through this port

Port 33333 - FTP server port on infected systems

Port 8888 - The command shell port opened by the exploit code

The exploit uses fixed offsets inside Windows 2000 version of umpnpmgr.dll. This means that only Windows 2000 systems (SP0-4) are affected.
-------------------------------
When first run W32/Zotob-A copies itself to %System%\botzor.exe.

The following registry entries are created to run botzor.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
botzor.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
botzor.exe

W32/Zotob-A also sets the following registry entry

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

The worm may drop a file 2pac.txt. This is a text file that may be safely deleted.

W32/Zotob-A also appends the following to the system HOSTS file in order to prevent access to certain websites, including common security and antivirus websites.

W32/Zotob-B worm and backdoor Trojan is similar to W32/Zotob-A. When first run W32/Zotob-B copies itself to %System%\csm.exe and creates the following registry entries so as to auto-start:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
csm Win Updates
csm.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
csm Win Updates
csm.exe

W32/Zotob-B sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

W32/SDbot.worm!MS05-039
August 15, 2005

Platform: Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4558 (released 8/15/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_135434.htm

August 15, 2005 9:15 am HST

We have received reports of several unpatched Windows systems on campus getting infected with the new variant W32/Sdbot.worm!MS05-039. This worm exploits the MS05-039 plug and play vulnerability which was announced on August 9, 2005 by Microsoft.

Please update your McAfee VirusScan DAT to 4558 as soon as possible. Use "Update Now" command.

Go to http://windowsupdate.microsoft.com using Internet Explorer and apply all critical windows patches. You must patch your system. Technical details and patch for the MS05-039 plug and play vulnerability is avaialable at http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx .

This worm and the W32/Zotob worms scan the network for unpatched systems to exploit the MS05-039 plug and play vulnerability.

Method of Infection
This threat can be instructed to scan for MS05-039 exploitable systems. When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script and launching FTP.EXE to download and execute the worm from the source system.

If you suspect that your system has been infected (e.g. system shuts down and restarts by itself), please patch your Windows system, update your VirusScan DAT to 4558 and scan your hard drive. You may get a "buffer overflow protection" error message in VirusScan.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

W32/Mytob-DY (Sophos)
(aka W32/Mytob.eu@MM)
August 3, 2005

Platform: Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4549 (released 8/3/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_135062.htm
http://www.sophos.com/virusinfo/analyses/w32mytobdy.html

August 3, 2005 11:30 am HST

Word of caution... A new variant of W32/Mytob-DY (Sophos) or W32/Mytob.eu@MM (McAfee) may be circulating on campus with a spoofed @hawaii.edu FROM address, e.g. register@hawaii.edu and an attachment. This email may claim that there is a problem with your email account or that you have successfully changed your password.

If you receive suspicious email, do NOT open the attachment. Please DELETE the messages.

The UH mail server (mail.hawaii.edu) is currently scanning for this threat. McAfee VirusScan (DAT 4548 and higher) detects the attachment as Generic Malware.a!.zip.

W32/Mytob-DY spreads via email with a spoofed FROM: address and attachment. It turns off anti-virus applications, allows hackers to access the computer, and mass mails itself to email addresses found on the infected computer.

FROM: (spoofed)

SUBJECT: (one of the following)

Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved

MESSAGE TEXT: (one of the following)

Dear user [str],
You have successfully updated the password of your [str] account.
If you did not authorize this change or if you need assistance with your account, please contact [str] customer service at: [str]
Thank you for using [str]!
The [str] Support Team
+++ Attachment: No Virus (Clean)
+++ [str] Antivirus - www.[str]

Dear user [str],
It has come to our attention that your [str] User Profile ( x ) records are out of date. For further details see the attached document.
Thank you for using [str]!
The [str] Support Team
+++ Attachment: No Virus (Clean)
+++ [str] Antivirus - www.[str]

Dear [str] Member,
We have temporarily suspended your email account [str].
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your [str] account.
Sincerely,The [str] Support Team
+++ Attachment: No Virus (Clean)
+++ [str] Antivirus - www.[str]

Dear [str] Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service. If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
The [str] Support Team
+++ Attachment: No Virus found
+++ [str] Antivirus - www.[str]

In the above message text [str] would be replaced with text from the user's email address.

ATTACHMENT: (one of the following base file names with file extension CMD, PIF, SCR, EXE or ZIP; the worm may create a double extension with a DOC, TXT or HTM first extension and a final extension of BAT, CMD, PIF, SCR, EXE or ZIP)

accepted-password
account-details
account-info
account-password
account-report
approved-password
document
email-details
email-password
important-details
new-password
password
readme
updated-password

Here is an example of the W32/Mytob-DY email:

Date: Wed, 03 Aug 2005 08:49:37 -0300
From: register@hawaii.edu <==== this is spoofed; not a valid UH username
To: uhusername@hawaii.edu
Subject: Your password has been successfully updated

Dear user uhusername,

You have successfully updated the password of your Hawaii account.

If you did not authorize this change or if you need assistance with your account, please contact Hawaii customer service at: register@hawaii.edu

Thank you for using Hawaii!
The Hawaii Support Team

+++ Attachment: No Virus (Clean)
+++ Hawaii Antivirus - www.hawaii.edu

Attachment: accepted-password.zip (58KB)

When run, W32/Mytob-DY copies itself to the Windows system folder as raloded.exe and sets the following registry entries in order to run each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Msn Service
raloded.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Msn Service
raloded.exe

W32/Mytob-DY sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

W32/Mytob-DY modifies the HOSTS file changing IP-to-URL mappings for selected websites, including security websites, to point to the local machine. This prevents normal access to these websites.

If you have questions or need assistance, please contact the ITS Help Desk at (808) 956-8883, email help@hawaii.edu, or call toll free from the neighbor islands at (800) 558-2669.

W32/Mytob-AZ (Sophos)
(aka W32/Sober.aw@MM)
May 16, 2005

Platform: Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4492 (released 5/16/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_133762.htm
http://www.sophos.com/virusinfo/analyses/w32mytobaz.html

May 16, 2005 5:00 pm HST

A new variant of the W32/Mytob mass-mailing worm and backdoor Trojan has been seen circulating on campus, spoofing FROM address Mail@hawaii.edu. It claims to be a problem with your email account. Please do not open suspicious email with attachments with ZIP, EXE, PIF, SCR or CMD extensions.

The UH mail server (mail.hawaii.edu) is scanning for this virus. Information is sparse at the McAfee website. The latest DAT 4492 is presumed to detect this variant (believed to be named W32/Mytob.aw@MM by McAfee). The UH repositories have been updated with DAT 4492. Please update your McAfee VirusScan DAT file as soon as possible, using the manual "Update Now" procedure (see http://www.hawaii.edu/antivirus/howtoupdate.html for instructions). Details will be posted as anti-virus vendor websites are updated.

Virus Description:(from the Sophos website)

The virus allows a remote hacker to gain access and control over the infected computer via IRC channels. It modifies the HOSTS file, changing the URL to IP mappings for selected websites, thus preventing normal access to these sites.

The virus is spread via mass emailing with the following characteristics:

FROM: (spoofed)

SUBJECT: (one of following)

*IMPORTANT* Please Validate Your Email Account
*IMPORTANT* Your Email Account Has Been Locked
Email Account Suspension
Your Email Account is Suspended For Security Reasons
Security Measures
Notice:***Your email account will be suspended***
Your email account access is restricted
Notie:***Last Warning***

MESSAGE TEXT: (one of following)

"To safeguard your email account from possible termination, please see the attached file."
"Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal."
"We have suspended some of your email services, to resolve the problem you should read the attached document."
"please look at attached document."
"Account Information Are Attached!"
"Follow the instructions in the attachment."

ATTACHMENT: ZIP, EXE, PIF, SCR or CMD file extension with one of the following basenames:

email-text
document_full
information
info-text
Your_details
IMPORTANT
email-info
email-doc
INFO

Example of the W32/Mytob infected email detected on campus:

From: Mail@hawaii.edu (spoofed)
Subject: Notice:***Your email account will be suspended***

We have suspended some of your email services, to resolve the problem you should read the attached document.

Attachment:
(Name: "info-text.bat") 45KB

When first run W32/Mytob-AZ copies itself to Windows System directory as LienVandeKelder.exe.

W32/Mytob-AZ creates the following registry entries so that the worm is run when a user logs on to Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run http://www.lienvandekelder.be "LienVandeKelder.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices http://www.lienvandekelder.be "LienVandeKelder.exe"

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

W32/Sober.p@MM
(aka W32/Sober-N, W32.Sober.O@mm)
May 2, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4482 (released 5/2/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_133409.htm
Stinger Removal Tool: v2.5.4 (5/2/05) (download filename has been renamed ST1NGER.EXE as Sober.p terminates "stinger" process names)

May 2, 2005 3:00 pm HST

McAfee has raised the threat level of W32/Sober.p@MM to medium due to increased prevalence. The UH repositories have been updated. Please update your VirusScan DAT to 4482 (released 5/2/05) as soon as possible. See instructions for manually updating your VirusScan DAT files.

This virus is also known as W32/Sober-N (Sophos) and W32.Sober.O@MM (Symantec).

Virus Description

This mass mailing email worm pretends to have information about your email account or password in a .ZIP attachment. It sends itself to addresses harvested from the infected computer. The email message is constructed in German or English, depending on the domain of the recipients' email address. Once infected, the worm attempts to contact various TIME servers on TCP port 37.

These are the characteristics of the email (English version):

From: (spoofed, faked)

Subject line: One of the following:

mailing error
Registration Confirmation
Your email was blocked
Your Password

Message text: One of the following:

This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached
(See attached file: < zip file name >)

Account and Password Information are attached!

Visit: < URL >

*** AntiVirus: No Virus found
*** "< vendor name >" Anti-Virus
*** < vendor url >
(See attached file: < zip file name >)

Account and Password Information are attached!

Visit: < URL >
(See attached file: < zip file name >)

Account and Password Information are attached!

Visit: < URL >

*** Server-AntiVirus: No Virus (Clean)
*** "< vendor name >" Anti-Virus
*** < vendor url >
(See attached file: < zip file name >)

ok ok ok,,,,, here is it

*** AntiVirus: No Virus found
*** "< vendor name >" Anti-Virus
*** < vendor url >
(See attached file: < zip file name >)

Attached file: One of the following:

mail_info.zip
account_info.zip
our_secret.zip

The attached filenames may contain an optional prefix "error-" or an optional suffix "-text" followed by the ZIP file extension.

The ZIP file will contain an executable file named Winzipped-Text_Data.txt< many spaces >.pif. This is an attempt to trick the recipient into clicking on a presumably safe text file.

When the ZIP file is extracted and the PIF file is manually executed, the virus may display a fake error message:

The worm copies itself to a newly created directory in the WINDOWS directory and creates registry run keys to load itself at system startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "_WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run " WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe

File Symptoms

The following files are created:

c:\WINDOWS\Connection Wizard\Status\fastso.ber
c:\WINDOWS\system32\adcmmmmq.hjg
c:\WINDOWS\system32\langeinf.lin
c:\WINDOWS\system32\nonrunso.ber
c:\WINDOWS\system32\seppelmx.smx
c:\WINDOWS\system32\xcvfpokd.tqa

The following files are MIME encoded versions of the worm in a ZIP file:

c:\WINDOWS\Connection Wizard\Status\packed1.sbr
c:\WINDOWS\Connection Wizard\Status\packed2.sbr
c:\WINDOWS\Connection Wizard\Status\packed3.sbr

The following files contain email related data (such as domain names)

c:\WINDOWS\Connection Wizard\Status\sacri1.ggg
c:\WINDOWS\Connection Wizard\Status\sacri2.ggg
c:\WINDOWS\Connection Wizard\Status\sacri3.ggg
c:\WINDOWS\Connection Wizard\Status\voner1.von
c:\WINDOWS\Connection Wizard\Status\voner2.von
c:\WINDOWS\Connection Wizard\Status\voner3.von

The following files are copies of the worm:

c:\WINDOWS\Connection Wizard\Status\csrss.exe
c:\WINDOWS\Connection Wizard\Status\services.exe
c:\WINDOWS\Connection Wizard\Status\smss.exe

Note: there are legitimate Windows files named csrss.exe, services.exe, and smss.exe in the c:\Windows\system32 directory.

Once the computer is infected, the antivirus scanner will not be able to detect the file (read-access to the file may be denied). If you suspect that your computer is infected, you will need to reboot into Safe Mode. Make sure your DAT is updated to 4482 and run a full scan of your hard drive. Delete files flagged as infected. Restart the computer in normal mode.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

W32/Bagle.dldr
(aka Trojan.Tooso.B, Troj/BagleDI-L)
March 1, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4437 (released 3/1/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_129512.htm

March 1, 2005 12:15 pm HST

McAfee has raised the risk level of W32/Bagle.dldr to medium because of increased prevalence. DAT 4437 has been released early to detect this threat. The UH repositories have been updated. Please update your VirusScan DAT by manually running "Update Now" (instructions are at http://www.hawaii.edu/antivirus/howtoupdate.html ).

New variants of this Bagle downloader have been mass-spammed in the last 12 hours. These variants are not known at present to be dropped by any mass-mailing Bagle variants, and these variants do not mass-mail themselves.

This trojan downloader attempts to download and execute a file from several remote websites into %Windows%\_re_file.exe. It attempts to disable services and delete registry keys related to security applications such as antivirus and firewall software, to rename files belonging to security applications (so they no longer run), and to block access to security-related websites by changing the Windows HOSTS file to the loopback address 127.0.0.1.

Outgoing TCP connections to port 80 (HTTP) are established and it tries to download a file from a very long list of websites (some may be decoys). Malware is downloaded and executed by some Bagle variants:

This variant copies itself to the default Windows System directory %WinDir% \system32 as WINSHOST.EXE (34,304 bytes) and adds the following registry hooks:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ DownloadManager
HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe

It drops a file wiwshost.exe (18,944 bytes), which is detected by 4333DATs and above as W32/Bagle.dll.gen. This file gets injected into the EXPLORER process and tries to download a file zo2.jpg from various sites. It also terminates security services like its predecessors and in some cases renames the main security program executable.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

W32/Mydoom.be@MM
February 22, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4431 (released 2/21/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_131868.htm
Stinger removal tool (v2.5.2, 2/21/05)

W32/Mydoom.be@MM is similar to previous variants of Mydoom.

Virus Description:

W32/Mydoom.be@MM is a mass mailing email worm with these characteristics:

has its own SMTP engine to construct messages
harvests email addresses from the victim's computer
- DOC, TXT, HTM, and HTML files
- addresses from active Outlook windows
queries lycos, altavista, yahoo and google search engines for email addresses
spoofs the FROM address (pretends to be sent from an email address and may appear to be a system message or bounced email message from the Postmaster)
downloads the BackDoor-CEB.f trojan
opens various TCP ports on the victim computer

W32/Mydoom.be@MM arrives via email with the following characteristics:

FROM: (spoofed; made to appear like a system message or a bounced email message)

mailer-daemon@(target_domain)
noreply@(target_domain)
postmaster@(target_domain)

with display names (one of the following):

"Postmaster"
"Mail Administrator"
"Automatic Email Delivery Software"
"Post Office"
"The Post Office"
"Bounced mail"
"Returned mail"
"MAILER-DAEMON"
"Mail Delivery Subsystem"

SUBJECT: (one of the following):

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

BODY: message is blank or may be similar to the following:

Dear user of [target domain],

Your account has been used to send a huge amount of unsolicited email during the recent week.
Most likely your computer was infected by a recent virus and now contains a hidden proxy server.

We recommend that you follow instructions in order to keep your computer safe.

Have a nice day,
[target domain] support team

Dear user of [target domain]

We have received reports that your account was
used to send a large amount of junk email messages
during the last week.
Probably, your computer had been compromised and
now contains a hidden proxy server.

Please follow the instruction in the attached file
in order to keep your computer safe.

Have a nice day,
[domain] user support team.

Dear user of [target domain]
Mail server administrator of [domain] would like to inform you that We have detected that your e-mail account has been used to send a large amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now runs a trojan proxy server.
Please follow our instructions in the attachment file in order to keep your computer safe.
Virtually yours
[domain] user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at [date & time] from [IP address]
----- The following addresses had permanent fatal errors -----
[email address]
----- Transcript of the session follows -----
... while talking to host [hostname]:
>>> MAIL From:[IP address]
<<< 501 User unknown
Session aborted
>>> RCPT To:[email address]
<<< 550 MAILBOX NOT FOUND

The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within [number] days:

Mail server is not responding

The following recipients did not receive this message:
[address]
Please reply to postmaster@[domain]
if you feel this message to be in error.

ATTACHMENT: may be the target email address, e.g. user@hawaii.edu, or one of the following filenames:

README
INSTRUCTION
TRANSCRIPT
MAIL
LETTER
FILE
TEXT
ATTACHMENT
DOCUMENT
MESSAGE

with an optional extension of DOC, TXT, HTM, HTML followed by a number of spaces and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a ZIP file (file may be doubly ZIPped) containing a file named as described.

The virus queries four search engines to harvest addresses returned from those queries:

http://search.lycos.com
http://www.altavista.com
http://search.yahoo.com
http://www.google.com

The virus also harvests email addresses from any Outlook window that is active on the victim computer.

The virus attempts to download the backdoor trojan, BackDoor-CEB.f, from the following websites:

www.aartanridge.org.uk/YaBBImages/(neutered).gif
www.eastcoastchoons.co.uk/4play/(neutered) .JPG
www.foxalpha.com/charte/(neutered).jpg
www.ribaforada.net/banners/(neutered) .gif
www.sundayriders.co.uk/images/(neutered).gif
www.hooping.org/archives/(neutered).JPG
www.imogenheap.co.uk/iblog/(neutered).jpg
www.newgenerationcomics.net/banner/(neutered).jpg
ics.net/banner/(neutered).jpg <== not on W32/Mydoom.bd@MM

Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:

C:\WINDOWS\JAVA.EXE

It also drops the file SERVICES.EXE into this directory:

C:\WINDOWS\SERVICES.EXE

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "JavaVM" = %WinDir%\JAVA.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "Services" = %WinDir%\SERVICES.EXE

The following Registry keys are also added:

HKEY_CURRENT_USER\Software\Microsoft\Daemon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

Various TCP ports are opened on the victim machine by the SERVICES.EXE process to listen for incoming connections. This process also sends TCP network traffic from a highport of the infected machine, to randomly generated IP addresses. When another IP address is found to be infected with the backdoor, the IP address of that machine is encrypted and written to a file named zincite.log.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

W32/Bropia.worm.p
February 18, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4430 (released 2/18/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_131862.htm

W32/Bropia.worm.p spreads through MSN messenger. The user must manually run the attachment in order to get infected. However, unlike previous variants it does not drop the W32/Sdbot.worm.gen worm.

The worm drops a copy of itself into the C:\ directory using any of the following filenames:

c:\Beautiful A**.pif
c:\John Kerry as Super Chicken.scr
c:\Kool.pif
c:\Me & you pic!.pif
c:\Me P***ed!.pif
c:\sexy.pif
c:\She Could Fit her A** in a Teacup.pif
c:\she's f***in fit.pif
c:\titanic2.jpg.pif

(* replaces text)

A copy of the worm is dropped in %SysDir% as Isass.exe, where %SysDir% is either C:\Windows\System32 or C:\WinNT\System32.

The following registry key is hooked to run the worm at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\Run "Isass" = %SysDir% \Isass.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\RunServices "Isass" = %SysDir% \Isass.exe

The worm creates a mutex object on the infected machine using the name:

.:*-F*k-U-*:.

The following processes are disabled on the victim's machine to prevent the user from manually stopping and removing the worm:

Regedit.exe - registry editor
Mstask.exe - task manager
Msconfig.exe - configuration manager

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

W32/Mydoom.bd@MM
February 18, 2005

W32/Mydoom.bd@MM is similar to other variants of Mydoom.

Virus Description:

W32/Mydoom.bd@MM is a mass mailing email worm with these characteristics:

has its own SMTP engine to constructs messages
harvests email addresses from the victim computer
spoofs the FROM address
downloads the BackDoor-CEB.f trojan
opens various TCP ports on the victim computer

W32/Mydoom.bd@MM arrives via email with the following characteristics:

FROM: (spoofed; made to appear like a system message or a bounced email message)

mailer-daemon@(target_domain)
noreply@(target_domain)
postmaster@(target_domain)

with display names (one of the following):

"Postmaster"
"Mail Administrator"
"Automatic Email Delivery Software"
"Post Office"
"The Post Office"
"Bounced mail"
"Returned mail"
"MAILER-DAEMON"
"Mail Delivery Subsystem"

SUBJECT: (one of the following):

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

BODY: message is blank or may be similar to the following:

Dear user of [target domain]

We have received reports that your account was
used to send a large amount of junk email messages
during the last week.
Probably, your computer had been compromised and
now contains a hidden proxy server.

Please follow the instruction in the attached file
in order to keep your computer safe.

Have a nice day,
[domain] user support team.

Dear user of [target domain]
Mail server administrator of [domain] would like to inform you that We have detected that your e-mail account has been used to send a large amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now runs a trojan proxy server.
Please follow our instructions in the attachment file in order to keep your computer safe.
Virtually yours
[domain] user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at [date & time] from [IP address]
----- The following addresses had permanent fatal errors -----
[email address]
----- Transcript of the session follows -----
... while talking to host [hostname]:
>>> MAIL From:[IP address]
<<< 501 User unknown
Session aborted
>>> RCPT To:[email address]
<<< 550 MAILBOX NOT FOUND

The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within [number] days:

Mail server is not responding

The following recipients did not receive this message:
[address]
Please reply to postmaster@[domain]
if you feel this message to be in error.

ATTACHMENT: may be an EXE file extension with one of the following extensions:

It may also have the ZIP file extension and may be doubly ZIPped, e.g. a ZIPped file within a ZIP.

The attachment may use the target email address as the filename, in addition to one of the following filenames:

readme
instruction
transcript
mail
letter
file
text
attachment
document
message

The attachment may use a double extension and there may be multiple spaces between the file extensions to deceive users.

The virus harvests email addresses from .DOC, .TXT, .HTM, and .HTML files on the victim computer.

The virus queries four search engines to harvest addresses returned from those queries:

http://search.lycos.com
http://www.altavista.com
http://search.yahoo.com
http://www.google.com

www.aartanridge.org.uk/YaBBImages/(neutered).gif <== not on W32/Mydoom.bc@MM
www.eastcoastchoons.co.uk/4play/(neutered) .JPG
www.foxalpha.com/charte/(neutered).jpg
www.ribaforada.net/banners/(neutered) .gif
www.sundayriders.co.uk/images/(neutered).gif
www.foxalpha.com/charte/(neutered).jpg
www.hooping.org/archives/(neutered).JPG
www.imogenheap.co.uk/iblog/(neutered).jpg
www.newgenerationcomics.net/banner/(neutered).jpg

Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:

C:\WINDOWS\JAVA.EXE

It also drops the file SERVICES.EXE into this directory:

C:\WINDOWS\SERVICES.EXE

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "JavaVM" = %WinDir%\JAVA.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "Services" = %WinDir%\SERVICES.EXE

The following Registry keys are also added:

HKEY_CURRENT_USER\Software\Microsoft\Daemon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

W32/Mydoom.bc@MM
February 18, 2005

W32/Mydoom.bc@MM is similar to other variants of Mydoom.

Virus Description:

W32/Mydoom.bc@MM is a mass mailing email worm with these characteristics:

has its own SMTP engine to constructs messages
harvests email addresses from the victim computer
spoofs the FROM address
downloads the BackDoor-CEB.f trojan
opens various TCP ports on the victim computer

W32/Mydoom.bc@MM arrives via email with the following characteristics:

FROM: (spoofed; made to appear like a system message or a bounced email message)

mailer-daemon@(target_domain)
noreply@(target_domain)
postmaster@(target_domain)

with display names (one of the following):

"Postmaster"
"Mail Administrator"
"Automatic Email Delivery Software"
"Post Office"
"The Post Office"
"Bounced mail"
"Returned mail"
"MAILER-DAEMON"
"Mail Delivery Subsystem"

SUBJECT: (one of the following):

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

BODY: message is blank or may be similar to the following:

Dear user of [target domain]
We have received reports that your account was
used to send a large amount of junk email messages
during the last week.
Probably, your computer had been compromised and
now contains a hidden proxy server.

Please follow the instruction in the attached file
in order to keep your computer safe.

Have a nice day,
[domain] user support team.

Dear user of [target domain]
Mail server administrator of [domain] would like to inform you that We have detected that your e-mail account has been used to send a large amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now runs a trojan proxy server.
Please follow our instructions in the attachment file in order to keep your computer safe.
Virtually yours
[domain] user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at [date & time] from [IP address]
----- The following addresses had permanent fatal errors -----
[email address]
----- Transcript of the session follows -----
... while talking to host [hostname]:
>>> MAIL From:[IP address]
<<< 501 User unknown
Session aborted
>>> RCPT To:[email address]
<<< 550 MAILBOX NOT FOUND

The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within [number] days:

Mail server is not responding

The following recipients did not receive this message:
[address]
Please reply to postmaster@[domain]
if you feel this message to be in error.

ATTACHMENT: may be an EXE file extension with one of the following extensions:

readme
instruction
transcript
mail
letter
file
text
attachment
document
message

http://search.lycos.com
http://www.altavista.com
http://search.yahoo.com
http://www.google.com

www.eastcoastchoons.co.uk/4play/(neutered) .JPG
www.foxalpha.com/charte/(neutered).jpg
www.ribaforada.net/banners/(neutered) .gif
www.sundayriders.co.uk/images/(neutered).gif
www.foxalpha.com/charte/(neutered).jpg
www.hooping.org/archives/(neutered).JPG
www.imogenheap.co.uk/iblog/(neutered).jpg
www.newgenerationcomics.net/banner/(neutered).jpg

Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:

C:\WINDOWS\JAVA.EXE

It also drops the file SERVICES.EXE into this directory:

C:\WINDOWS\SERVICES.EXE

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "JavaVM" = %WinDir%\JAVA.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "Services" = %WinDir%\SERVICES.EXE

The following Registry keys are also added:

HKEY_CURRENT_USER\Software\Microsoft\Daemon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

W32/Mydoom.bb@MM
(aka W32/MyDoom-o)
February 16, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4429 (to be released 2/16/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_131856.htm

Feb. 16, 2005 2:45 pm HST

There's a new Mydoom email virus circulating on campus. W32/Mydoom.bb@MM appears to be from the mail administrator or a bounced email message and arrives with a spoofed FROM address and attachment with .ZIP, .EXE, .COM, .SCR, .PIF, .BAT or .CMD extensions. The UH mail server (mail.hawaii.edu) is blocking this virus.

McAfee VirusScan DAT 4429 (to be released 2/16/05) is required to detect this virus. Please delete messages matching this description and do NOT open any attachments. We will notify you when we receive DAT 4429 and update the UH repositories.

Virus Description:

W32/Mydoom.bb@MM is a mass mailing email worm with these characteristics:

has its own SMTP engine to constructs messages
harvests email addresses from the victim computer
spoofs the FROM address
contains a P2P (peer-to-peer) routine
downloads the BackDoor-CEB.f trojan
TCP port 1034 is opened on the victim computer

W32/Mydoom.bb@MM arrives via email with the following characteristics:

FROM: (spoofed; made to appear like a system message or a bounced email message)

mailer-daemon@(target_domain)
noreply@(target_domain)
postmaster@(target_domain)

with display names (one of the following):

"Postmaster"
"Mail Administrator"
"Automatic Email Delivery Software"
"Post Office"
"The Post Office"
"Bounced mail"
"Returned mail"
"MAILER-DAEMON"
"Mail Delivery Subsystem"

SUBJECT: (one of the following):

delivered
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

BODY: message is blank or may be similar to the following:

Dear user of [target domain]
Mail server administrator of [domain] would like to inform you that We have detected that your e-mail account has been used to send a large amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now runs a trojan proxy server.
Please follow our instructions in the attachment file in order to keep your computer safe.
Virtually yours
[domain] user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at [date & time] from [IP address]
----- The following addresses had permanent fatal errors -----
[email address]
----- Transcript of the session follows -----
... while talking to host [hostname]:
>>> MAIL From:[IP address]
<<< 501 User unknown
Session aborted
>>> RCPT To:[email address]
<<< 550 MAILBOX NOT FOUND

readme
instruction
transcript
mail
letter
file
text
attachment
document
message

The filename may have an optional extension of .DOC, .TXT, .HTM, .HTML and a final extension of .ZIP, .EXE, .COM, .BAT, .CMD, .SCR or .PIF.

The virus copies itself to folders containing the strings:

USERPROFILE
yahoo.com

Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:

C:\WINDOWS\JAVA.EXE

It also drops the file SERVICES.EXE into this directory:

C:\WINDOWS\SERVICES.EXE

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "JavaVM" = %WinDir%\JAVA.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "Services" = %WinDir%\SERVICES.EXE

The following Registry keys are also added:

HKEY_CURRENT_USER\Software\Microsoft\Daemon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

TCP Port 1034 is opened on the victim machine by the SERVICES.EXE process and listens for incoming connections. This process also sends TCP network traffic from a highport of the infected machine, to randomly generated IP addresses on destination Port 1034. When another IP address is found to be infected with the backdoor, the IP address of that machine is encrypted and written to a file named zincite.log.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

W32/Sober.k@MM
(aka W32.Sober.j@mm)
January 31, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4424 (released 1/31/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_131355.htm
Stinger removal tool (v2.4.9.2, 1/31/2005)

Jan. 31, 2005 9:30 am HST

McAfee has raised the risk of W32/Sober.k@MM (aka W32/Sober.j@mm) to medium due to increased prevalence. DAT 4424 has been released early to detect this threat. The UH repositories have been updated. Please update your VirusScan DAT to 4424 as soon as possible using "Update Now." Note: the new scan engine 4400 is required to delete and remove this virus.

Virus Description:

W32.Sober.k@MM is a mass mailing worm with the following characteristics:

written in German or English
FROM address is spoofed
ATTACHMENT: EMAIL_TEXT.ZIP or TEXT.ZIP (43KB)
The Zipped file contains the worm with filename MAIL_TEXT-INFO.TXT (many spaces) .PIF
When executed, Notepad opens an error message

The worm checks the country origin of the domain extension. If the domain extension is a German variant, the email message is sent in German; otherwise it is sent in English. The following is the English version of the W32/Sober.k@MM email:

From: (spoofed)
Subject: I've got YOUR email on my account!!
Body:
Hello,
First, Sorry for my very bad English!

Someone send your private mails on my email account! I think it's an Mail-Provider or SMTP error. Normally, I delete such emails immediately, but in the mail-text is a name & adress. I think it's your name and adress.

In the last 8 days i've got 7 mails in my mail-box, but the recipient are you, not me. lol

OK, I've copied all email text in the Windows Text-Editor and i've zipped the t ext file with WinZip. The sender of this mails is in the text file, too.

bye

Attachment:

EMAIL_TEXT.ZIP or
TEXT.ZIP

The ZIP archive contains a copy of the worm with the following filename:

MAIL_TEXT-INFO.TXT (many spaces) .PIF

Note: other anti-virus web sites indicate that the attachment may have other file extensions, including ZIP, PIF, SCR, BAT, COM or EXE.

The importance of the mail is set to "High" (this will only have an effect for certain mail clients).

The worm has a pool of strings which it uses to construct a random executable filename and registry keys for installing itself on the victim computer:

32
crypt
data
diag
dir
disc
expoler
host
log
run
service
smss32
spool
sys
win

The constructed filename always has a EXE file extension and consists of three strings from the pool of strings. The worm Writes itself to the default Windows System directory. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). For example, SYSSPOOLDISC.EXE.

The worm adds the value:

"[random value name]" = "%System%\[random file name].exe"

to the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion

so that the worm executes every time Windows starts.

Network Symptoms:

Symptoms indicating the worm's presence on a network include:

outgoing messages matching the characteristics described here
unexpected NTP traffic on TCP port 37
unexpected attempts to log into several GMX accounts (POP3)
unexpected outgoing DNS queries DNS servers on the internet to one or more of the following domains:
- microsoft.com
- bigfoot.com
- yahoo.com
- t-online.de
- google.com
- hotmail.com

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

W32/Bagle.bj@MM, W32/Bagle.bk@MM
(aka W32.Beagle.az@mm)
January 27, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4423 (released 1/27/2005)
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_131351.htm

Jan. 27, 2005 9:30 am HST

McAfee has released DAT 4423 early to detect a couple of new Bagle email viruses. W32/Bagle.bj@MM is rated MEDIUM due to increased prevalence and W32/Bagle.bk@MM (aka W32.Beagle.az@MM; very similar to W32/Bagle.bj@MM) is rated LOW.

W32/Bagle.bj@MM and W32/Bagle.bk are mass mailing and peer-to-peer worms with the following characteristics:

has its own SMTP engine to construct outgoing messages
harvests email addresses from the infected computer
FROM address is spoofed
ATTACHMENT has extension .EXE, SCR, .COM, or .CPL
terminates security and antivirus programs
makes changes to the registry
opens random TCP ports starting from port 2339 on the infected computer
creates infected files in folders containing phrase SHAR (often used in peer-to-peer filesharing programs)

Virus Description:

The Bagle viruses (both variants) arrive via email with these characteristics:

From : (address is spoofed)
Subject :

Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active

Body Text:

Thanks for use of our software.
Before use read the help

Attachment: (may be one of the following, with an extension of .exe, .scr, .com, or .cpl)

wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03

The virus copies itself into the Windows System directory as sysformat.exe. For example:

* C:\WINNT\SYSTEM32\sysformat.exe

It also creates other files in this directory to perform its functions:

* C:\WINNT\SYSTEM32\sysformat.exeopen
* C:\WINNT\SYSTEM32\sysformat.exeopenopen

The following Registry key is added to hook system startup:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "sysformat" = C:\WINNT\SYSTEM32\sysformat.exe Additionally, the following Registry keys are added:

* HKEY_CURRENT_USER\Software\Microsoft\Params "TimeKey" It deletes these values

"My AV"
"ICQ Net"

from the following Registry keys, if they are present:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run

A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

This worm attempts to terminate the process of security and antivirus programs. See McAfee article for complete list of filenames.

The virus contains a backdoor that can be used to run executable files sent to the infected computer.

The virus copies itself to folders on the infected computer that contain the phrase shar, copying itself with the following filenames:

1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

W32/Zafi.d@MM
(aka W32.Erkez.D@mm)
December 14, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4414 (released 12/14/2004)
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_130371.htm

Dec. 14, 2004 9:00 am HST

McAfee released DAT 4414 early to detect new variant W32/Zafi.d@MM. The risk level of this virus has been raised to Medium due to increased prevalence. The UH repositories have been updated. Please update your VirusScan DAT to 4414 using the manual "Update Now" method as soon as possible.

W32/Zafi.d@MM has the following characteristics:

contains its own SMTP engine to construct outgoing messages
spoofs the FROM address
harvests email addresses from the victim machine
outgoing email messages are in various languages pretending to be a holiday greeting
spreads via P2P filesharing
shuts down security services like firewalls and antivirus products
opens TCP port 8181 on the infected system

W32/Zafi.d@MM is a mass mailing worm that pretends to be a holiday greeting in various languages. The FROM address is spoofed and comes with an attachment. Do not open attachments from unknown users and be very cautious when opening attachments from known users. For this virus, the recipient must open the attachment before getting infected.

From: (Spoofed)

Subject: (One of the following)

Merry Christmas!
boldog karacsony...
Feliz Navidad!
ecard.ru
Christmas Kort!
Christmas Vykort!
Christmas Postkort!
Christmas postikorti!
Christmas - Kartki!
Weihnachten card.
Prettige Kerstdagen!
Christmas pohlednice
Joyeux Noel!
Buon Natale!

Body Text: (One of the following)

Happy HollyDays! :) [Recipient]
Kellemes Unnepeket! :) [Recipient]
Feliz Navidad! :) [Recipient]
:) [Recipient]
Glaedelig Jul! :) [Recipient]
God Jul! :) [Recipient]
God Jul! :) [Recipient]
Iloista Joulua! :) [Recipient]
Naulieji Metai! :) [Recipient]
Wesolych Swiat! :) [Recipient]
Frhliche Weihnachten! :) [Recipient]
Prettige Kerstdagen! :) [Recipient]
Vesel Vnoce! :) [Recipient]
Joyeux Noel! :) [Recipient]
Buon Natale! :) [Recipient]

Attachment: (May be one of the following)

Link.postcard.christmas.htm
card.php2662.gif.cmd
postcard.php8583.zip

Here is an example of an email sent by the Zafi.d worm. The graphic and format of the email are the same in other languages.

The worm also spreads via P2P (peer-to-peer) filesharing by copying itself to directories on the c: drive with the phrase share, upload or music with following filenames:

winamp 5.7 new!.exe
ICQ 2005a new!.exe

The worm tries to shutdown security services like firewalls and antivirus software. It attempts to make programs reged, msconfig, and task unavailable, making virus detection and cleanup more difficult.

The worm drops the following files to the default windows System %windir%\system32 folder:

C:\WINNT\system32\ .EXE - 11,745 bytes
C:\WINNT\system32\
C:\WINNT\system32\Norton Update.exe - 11,745 bytes
C:\WINNT\system32\ .DLL - (worm zipped up)
C:\s.cm - 20,552 bytes (winzip dll module)

It creates a registry key, so the file gets executed every time the machine starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \CurrentVersion\Run "Wxp4" = C:\WINDOWS\SYSTEM32\Norton Update.exe

It creates the following registry key to store information of the worm:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4

W32/Sober.j@MM
November 19, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4409 (released 11/19/2004)
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_129531.htm
Stinger Removal Tool (v.2.4.4, 11/8/04)

Nov. 19, 2004 9:00 am HST

McAfee released DAT 4409 early to detect new variant W32/Sober.j@MM. McAfee has raised the risk level of another Mydoom variant, W32/Mydoom.ah@MM, to MEDIUM due to increased prevalence and released the full 4405 DAT early to detect both W32/Mydoom.ag@MM and W32/Mydoom.ah@MM variants. Both variants are similar.

The UH repositories have been updated. Please update your VirusScan DAT to 4409 using the manual "Update Now" method as soon as possible.

W32/Sober.j@MM has the following characteristics:

contains its own SMTP engine to construct outgoing messages

harvests email addresses from the victim machine

queries DNS and NTP servers to see if infected machine is connected to internet

The worm attempts to connect to computers via TCP 37:

swisstime.ee.ethz.ch

ntp2.ien.it

ntp0-rz.rrze.uni-erlangen.de

FS1.ece.cmu.edu

ntp2.ptb.de

ntp-sop.inria.fr

lanczos.maths.tcd.ie

time-a.timefreq.bldrdoc.gov

india.colorado.edu

gnomon.cc.columbia.edu

metasweb01.admin.ch

vega.cbk.poznan.pl

time.nist.gov

time.nrc.ca

ns1.usg.edu

otc2.psu.edu

nist1.symmetricom.com

clock.xmission.com

sue.cc.uregina.ca

For DNS, the worm attempts to connect to computers via UDP53:

141.40.10.35

213.218.170.6

217.237.151.33

213.239.234.108

200.74.214.246

212.242.88.2

151.201.0.39

82.195.234.2

195.112.195.34

80.148.11.231

131.243.64.3

129.187.16.1

141.40.10.35

62.39.89.71

145.253.2.171

195.182.96.29

203.162.0.11

131.174.8.14

207.217.120.43

216.203.115.105

209.235.107.14

62.156.146.242

210.66.241.1

194.209.114.1

209.253.113.2

129.187.10.25

208.48.34.135

217.116.224.253

61.95.134.168

193.158.124.143

212.71.97.156

192.35.232.34

217.237.150.225

207.69.188.186

166.60.12.11

The worm queries those servers for these domain names:

microsoft.com

bigfoot.com

yahoo.com

t-online.de

google.com

hotmail.com

The worm copies itself twice to the system folder using a constructed filename. The filenames are built by combining the following strings and always end with ".exe"

sys

host

dir

expoler

win

run

log

disc

crypt

data

diag

spool

service

smss32

Body: various error messages
Attachment: attaches a copy of itself using a constructed filename.

The system is hooked to run the virus on start up by the following registry keys. (Note: filename and keys are constructed using the technique above)

HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run "hostexpoler" Data: C:\WINNT\System32\datadiscwin.exe

HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run "wincryptx" Data: C:\WINNT\System32\cryptservice.exe %srun%

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "disccryptx" Data: C:\WINNT\System32\cryptservice.exe %srun%

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "runsmss32" Data: C:\WINNT\System32\datadiscwin.exe

W32/Mydoom.ah@MM
November 8, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4405 (released 11/9/2004)
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_129531.htm
Stinger Removal Tool (v.2.4.4, 11/8/04)

Nov. 9, 2004 7:00 am HST

McAfee has raised the risk level of another Mydoom variant, W32/Mydoom.ah@MM, to MEDIUM due to increased prevalence and released the full 4405 DAT early to detect both W32/Mydoom.ag@MM and W32/Mydoom.ah@MM variants. Both variants are similar.

The UH repositories have been updated. Please update your VirusScan DAT to 4405 using the manual "Update Now" method as soon as possible. Note: you do NOT need to install the SUPER EXTRA.DAT (for W32/Mydoom.ag@MM), if you have not already done so.

Nov. 8, 2004 6:15 p.m. HST

There is a new MyDoom variant going around -- without an attachment -- exploiting the Internet Explorer IFRAME buffer overflow vulnerability. If you receive an email matching the following description, please DELETE it. Do not click on any links in the email!

From: Spoofed address
Subject: (case may vary)

hi!
hey!
Confirmation
blank

Body: (either PayPal or webcam message)

Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.

To see details please click this link.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.

Thank you for using PayPal.

or

Hi! I am looking for new friends.

My name is Jane, I am from Miami, FL.

See my homepage with my weblog and last webcam photos!

See you!

or

Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!

The mail header may contain one of the following fields:

X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)
X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software

There is no attachment. When you click on the link or homepage hyperlink in the email, HTML code on the infected computer exploits the IE IFRAME buffer overflow vulnerability which automatically executes the virus. The hyperlink contains the IP address of the infected computer that sent the Mydoom email.

Infected systems will have Windows Explorer listening on TCP port 1639.

There is no patch for the Internet Explorer vulnerability (yet). Internet Explorer 6 running on Windows XP SP1 and Windows 2000 appear to be affected. Windows XP SP2 systems are not affected.

Sophos calls this virus the Bofra worm. Their web page explains how the Mydoom (aka Bofra worm) spreads and infects computers.

W32/Bagle.bd@MM
(aka W32.Beagle.AW@mm)
October 29, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4403
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_129511.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.4.3, 10/29/2004)

Oct. 29, 2004 11:50 a.m. HST - McAfee released DAT 4403 early to detect new variant W32/Bagle.bd@MM due to increased prevalence. DAT 4403 will also detect W32/Bagle.bb@MM.

W32/Bagle.bd@MM is similar to W32/Bagle.bb@MM and has the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
the attachment (filename Price, price or joke) has a EXE, SCR, COM or CPL extension
contains a remote access component (listens on TCP port 81)
copies itself to folders that have the phrase SHAR in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
tries to terminate anti-virus and security processes, as well as other viruses, such as Netsky
deletes registry entries of security programs and other worms

The worm arrives via email with the following characteristics:

FROM: (spoofed; uses email address harvested from local computer)

SUBJECT: (one of the following)

Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi

BODY: (one of the following)

ATTACHMENT: (one of the following with EXE, SCR, COM or CPL extension)

Price
price
Joke

The following paragraph applies to W32/Bagle.bd@MM only:
If the worm is received as a CPL file and executed, it drops and executes the worm. The CPL dropper copies itself as CJECTOR.EXE within the default Windows directory. For example,

C:\WINNT\CJECTOR.EXE
-----W32/Bagle.bd@MM-------

The virus copies itself into the default Windows System directory as WINGO.EXE. For example, C:\WINDOWS\SYSTEM32\wingo.exe.

It also makes multiple copies of itself in the default Windows System directory:

C:\WINNT\SYSTEM32\wingo.exeopen
C:\WINNT\SYSTEM32\wingo.exeopenopen
etc.

The system is hooked to run the virus on startup by the following Registry key entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "wingo" = "C:\WINDOWS\SYSTEM32\wingo.exe"

The registry key below is added to store data within a "TimeKey" key:

HKEY_CURRENT_USER\Software\Params

It creates a mutex to stop variants of virus W32/Netsky running on the infected computer.

These files are created in folders that contain the phrase SHAR (these folders are used with peer to peer applications such as KaZaa, Bearshare, Limewire, etc.):

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

The worm terminates processes of the following security products if there are running on the victim machine:

mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe

The worm contacts a long list of websites (see http://vil.nai.com/vil/content/v_129511.htm for the complete list) to retrieve a file named G.JPG. At the time of the posting, the file was not available on any of the web sites.

W32/Bagle.bb@MM
(aka W32.Beagle.AV@mm)
October 29, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4402
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_129509.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.4.3, 10/29/2004)

Oct. 29, 2004 - McAfee released DAT 4402 early to detect new variant W32/Bagle.bb@MM due to increased prevalence.

W32/Bagle.bb@MM has the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
the attachment (filename Price, price or joke) has a EXE, SCR, COM or CPL extension
contains a remote access component (listens on TCP port 81)
copies itself to folders that have the phrase SHAR in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
tries to terminate anti-virus and security processes, as well as other viruses, such as Netsky
deletes registry entries of security programs and other worms

The worm arrives via email with the following characteristics:

FROM: (spoofed; uses email address harvested from local computer)

SUBJECT: (one of the following)

Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi

BODY: (one of the following)

ATTACHMENT: (one of the following with EXE, SCR, COM or CPL extension)

Price
price
Joke

The virus copies itself into the default Windows System directory as WINGO.EXE. For example, C:\WINDOWS\SYSTEM32\wingo.exe.

It also makes multiple copies of itself in the default Windows System directory:

C:\WINNT\SYSTEM32\wingo.exeopen
C:\WINNT\SYSTEM32\wingo.exeopenopen
etc.

The system is hooked to run the virus on startup by the following Registry key entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "wingo" = "C:\WINDOWS\SYSTEM32\wingo.exe"

The registry key below is added to store data within a "TimeKey" key:

HKEY_CURRENT_USER\Software\Params

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

The worm terminates processes of the following security products if there are running on the victim machine:

mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe

The worm contacts a long list of websites (see http://vil.nai.com/vil/content/v_129509.htm for the complete list) to retrieve a file named G.JPG. At the time of the posting, the file was not available on any of the web sites.

W32/Netsky.ag@MM
October 14, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4399
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_128905.htm

McAfee has released DAT 4399 early due to the increase in prevalence of a new variant W32/Netsky.ag@MM mass mailing worm. The UH repositories have been updated. Please update your McAfee VirusScan DAT to 4399 as soon as possible using the manual "Update Now" method.

Virus Description
-----------------
W32/Netsky.az@MM has the following characteristics:

contains its own SMTP engine to construct outgoing messages

harvests email addresses from the victim machine

the From: address of messages is spoofed

copies itself to local folders containing the string share or sharing, network shares and P2P shared folders.

When run, the worm displays a message box "File corrupted replace this!"

The virus copies itself into the default Windows System directory as MsnMsgrs.EXE. For example, C:\WINDOWS\SYSTEM32\MsnMsgrs.exe

The system is hooked to run the virus on startup by the following Registry key entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run "MsnMsgr" = %WinDir%\MsnMsgrs.exe -alev

It copies itself to Windows directory as the following files:

Agradou.zip

agua!.zip

AIDS!.zip

aqui.zip

banco!.zip

bingos!.zip

botao.zip

brasil!.zip

carros!.zip

circular.zip

contas!!.zip

criancas!.zip

diga.zip

dinheiro!!.zip

docs.zip

email.zip

festa!!.zip

flipe.zip

grana!!.zip

grana.zip

imposto.zip

impressao!!.zip

jogo!.zip

lantrocidade.zip

LINUSTOR.zip

loterias.zip

lulao!.zip

massas!.zip

missao.zip

MsnMsgrs.exe

revista.zip

robos!.zip

sampa!!.zip

sorteado!!.zip

tetas.zip

vaca.zip

vadias!.zip

vips!.zip

Voce.zip

war3!.zip

Zerado.zip

The Subject: field may contain one of the following subjects

0123456789

Abra rapido isso!!!!

acrdito que em voce!!!

algo a mais

AmaVoce

amor me liga

AninhaPutinha +55operado6992292246

arquivo zipado PGP???

Boleto Pague

campanhadafome

encontro voce!

estou doente veja!!!

falea verdade!!!

ferias nos E.U.A

ganhe muita grana

gostaria disso e voce???

grana

Hackers do Brasil

Lembra?

me diz o queacha?

me veja peladinha

Medical Labs Exames!!!

meu telefone liga

olha que isso!!!

parabens!

PizzaVeneza!

Policia SP

pq nao me liga??

preenche ai ta bom

promocao de viajens de fim de ano

Proposta de emprego!!

receitas de bolo!!

retorna logo isso!!

reza de sao tome!!!!.

sinto voce!!

sua conta bancaria zerada

Sua Conta!!

Surto :(

te amo!

tudo sobre voce sabe

Vacina contra o HIV!!

ve ai logo ta

veja detalhes!!!.

veja o que tem no zip e me liga

voce passou :D!!!

The Attachment: field may contain one of the following

agradou

agua!

AIDS!

banco!

bingos!

botao

brasil!

carros!

circular

contas!!

criancas!

dinheiro!!

festa!!

flipe

grana

grana!!

imposto

impressao!!

jogo!

lantrocidade

LINUSTOR

loterias

lulao!

massas!

missao

morto

pescaria por kilo

revista

robos!

sampa!!

sorteado!!

Sua saude esta bem?

tetas

vadias!

vips!

war3!

zerado

The body: field may contain one of the following:

PizzaVeneza!

preenche ai ta bom

encontro voce!

veja detalhes!!!.

reza de sao tome!!!!.

Abra rapido isso!!!!

AmaVoce

AMA!

ve ai logo ta

voce passou :D!!!

arquivo zipado PGP???

retorna logo isso!!

me diz o queacha?

estou doente veja!!!

Proposta de emprego!!

tudo sobre voce sabe

promocao de viajens de fim de ano

acrdito que em voce!!!

receitas de bolo!!

veja o que tem no zip e me liga

Boleto Pague

Sua Conta!!

Policia SP

te amo!

parabens!

olha que isso!!!

sua conta bancaria zerada

Vacina contra o HIV!!

Surto :(

ferias nos E.U.A

meu telefone liga

Medical Labs Exames!!!

Hackers do Brasil

amor me liga

Lembra?

grana

sinto voce!!

pq nao me liga??

vaca

campanhadafome

ganhe muita grana

falea verdade!!!

algo a mais

gostaria disso e voce???

me veja peladinha

FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

If you need more assistance, please contact the ITS Help Desk at 808-956-8883, 800-558-2669 (toll free from neighbor islands), or email help@hawaii.edu.

W32/Bagle.az@MM
(aka W32.Beagle.AR@mm)
September 28, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4395
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_128582.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.4.0, 9/28/2004)

September 28, 2004 3:15 pm HST

McAfee has released DAT 4395 early to detect a new variant W32/Bagle.az@MM (aka W32.Beagle.AR@mm) mass mailing worm. The UH repositories have been updated. Please update your McAfee VirusScan DAT to 4395 as soon as possible using the manual "Update Now" method.

JPEG (GDI+) Critical Windows Vulnerability (MS04-028)

This is worth repeating... especially since W32/Bagle.az worm downloads a .JPG file.

On Sept. 14, Microsoft announced the JPEG (GDI+) vulnerability in security bulletin MS04-028 affecting Windows operating systems, as well as applications, such as Microsoft Office, Visio, Visual Studio, .NET Framework, and others. Go to http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx for details and patches. This is a CRITICAL update. A specially crafted JPEG can contain code for remote code execution. Code exploiting the JPEG vulnerability was posted to Usenet a few days ago.

Please patch your Windows system (go to http://windowsupdate.microsoft.com) and Microsoft Office (go to http://officeupdate.microsoft.com) as soon as possible.

SANS has released its own GDI scanner (since the Microsoft tool is not too helpful). It checks for vulnerable DLLs on your system (Windows 2000 and higher). Download from http://isc.sans.org/gdiscan.php.

Virus Description

W32/Bagle.az@MM has the following characteristics:

contains its own SMTP engine to construct outgoing messages

harvests email addresses from the victim machine

the From: address of messages is spoofed

the attachment (filename price or joke) has a EXE, SCR, COM or CPL extension

contains a remote access component (listens on TCP port 81 and a random UDP port)

copies itself to folders that have the phrase SHAR in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

tries to disable anti-virus and security processes, as well as other viruses, such as Netsky

The worm arrives via email with the following characteristics:

FROM: (spoofed; uses email address harvested from local computer)

SUBJECT: (one of the following)

Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi

BODY: (one of the following)

ATTACHMENT: (one of the following with EXE, SCR, COM or CPL extension)

Price
price
Joke

The virus copies itself into the default Windows System directory as BAWINDO.EXE. For example, C:\WINDOWS\SYSTEM32\bawindo.exe.

It also creates other files in the default Windows System directory:

C:\WINDOWS\SYSTEM32\bawindo.exeopen
C:\WINDOWS\SYSTEM32\bawindo.exeopenopen

The system is hooked to run the virus on startup by the following Registry key entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "bawindo" = "C:\WINDOWS\SYSTEM32\bawindo.exe"

It creates a mutex to stop variants of virus W32/Netsky running on the infected computer.

These files are created in folders that contain the phrase SHAR (these folders are used with peer to peer applications such as KaZaa, Bearshare, Limewire, etc.):

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

The worm removes registry keys for other worms and security products:

"My AV"

"Zone Labs Client Ex"

"9XHtProtect"

"Antivirus"

"Special Firewall Service"

"service"

"Tiny AV"

"ICQNet"

"HtProtect"

"NetDy"

"Jammer2nd"

"FirewallSvr"

"MsInfo"

"SysMonXP"

"EasyAV"

"PandaAVEngine"

"Norton Antivirus AV"

"KasperskyAVEng"

"SkynetsRevenge"

"ICQ Net" that are listed in these registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run

The worm contacts a long list of websites to retrieve a file named WS.JPG. At the time of the posting, the file was not available on any of the web sites. See http://vil.nai.com/vil/content/v_128582.htm for the complete list of web sites.

FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

If you need assistance, please contact the ITS Help Desk at 808-956-8883 (800-558-2669 toll free from neighbor islands) or email help@hawaii.edu.

W32/Mydoom.s@MM
(aka W32.Mydoom.Q@mm)
August 16, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4386
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_127616.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.9, 8/16/2004)

August 16, 2004 2:30 pm HST

A new variant of MyDoom has been released... W32/MyDoom.s@MM has been raised to MEDIUM risk by McAfee due to increased prevalence. This email virus spreads with a spoofed (forged, pretending to be someone else) FROM address and attachment photos_arc.exe. The virus harvests email addresses from files on the infected computer and has its own SMTP engine to construct outgoing messages. The harvested addresses are sent the virus. The virus downloads a backdoor trojan, BackDoor-CHR, from 2 websites.

As a pre-caution, please DELETE suspicious email with attachments, even from people you know. Do not even try to open the attachment. If you try to open the attachment (and it doesn't successfully open), your Windows computer will get infected.

W32/Mydoom.s@MM arrives in email with the following characteristics:

FROM: (spoofed, forged)

may use email address harvested from infected computer or use a list of common names with domain t-online.de, mail.com, yahoo.com, hotmail.com or the domain used for your Internet account

SUBJECT: photos
BODY: LOL!;))))
ATTACHMENT: photos_arc.exe

When the attachment is run, the virus copies itself to the default WINDOWS (C:\Windows or C:\Winnt) directory as rasor38a.dll, and to the default Windows SYSTEM (C:\Windows\System, C:\Winnt\System32, or C:\Windows\System32) directory as winpsd.exe.

The virus creates the following registry key values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "winpsd" = C:\WINDOWS\System32\winpsd.exe

The virus downloads a backdoor component from two different websites:

www.richcolour.com
zenandjuice.com

FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

If you need assistance, please contact the ITS Help Desk at 808-956-8883 (800-558-2669 toll free from neighbor islands) or email help@hawaii.edu.

BackDoor-CHR
(aka Backdoor.Nemog)
August 16, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4386
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_127617.htm

August 16, 2004 2:30 pm HST

W32/Mydoom.s@MM downloads the remote access trojan, BackDoor-CHR, which has the following characteristics:

stealths (hides) its activity on the victim machine

serves as a HTTP proxy

serves as an SMTP relay

attempts to connect to numerous remote IRC servers (for remote reporting/command)

appends the local hosts file (in an attempt to disable updating of many AV products)

The trojan attempts to connect to a remote IRC server to await commands. It carries a list of IP addresses and relevant ports (4661, 4242, 8080, and 3306) for many IRC servers (see virus description for list of servers and ports).

When executed, the trojan copies itself to the startup folder on the victim machine, as DX32HHLP.EXE. For example:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DX32HHLP.EXE

The trojan also drops a 4,096 byte kernel mode driver used for stealthing:

%SYSTEMROOT%\SYSTEM32\DX32HHEC.SYS

This component is installed as a service on the victim machine. The service information is stored within the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\dx32hhec

The service bears the following characteristics:

Display name: dx32hhec
Image Path: %SYSTEMROOT%\SYSTEM32\dx32hhec.sys
Startup: Automatic

Note: Once this stealthing driver is running on the victim machine, this threat is not detected by conventional AV scanning methods. You must boot into Safe Mode to detect and remove this trojan.

The trojan appends the local hosts file on the victim machine, redirecting requests for many antivirus and security vendor web sites and update sites to the local host, i.e. the infected computer. Such modified hosts files are detected (and repaired) as QHosts.apd with the 4352 DATs or greater.

Two ports (exact port numbers used vary) are opened by the trojan. For example, TCP 33167 and 33170 were opened in testing.

If you need assistance, please contact the ITS Help Desk at 808-956-8883 (800-558-2669 toll free from neighbor islands) or email help@hawaii.edu.

W32/Bagle.aq@MM
(aka W32.Beagle.ao@mm)
August 9, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4384
Minimum VirusScan scan engine: 4.3.40
For more information: http://vil.nai.com/vil/content/v_127423.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.8, 8/9/2004)

August 9, 2004 11:30 am HST

McAfee released VirusScan DAT 4384 to detect W32/Bagle.aq@MM. DAT 4384 has been posted to the UH repositories. Please update your VirusScan DAT as soon as possible using the manual " Update Now" method.

W32/Bagle.aq@MM spreads via email with a spoofed FROM address and a .ZIP attachment (which contains an EXE and HTML file). The EXE file (same name as the ZIP file) is contained within a folder in the ZIP file so when it is viewed with Explorer (instead of a stand-alone ZIP utility such as WinZip or PKzip) only the HTML file and a folder is visible.

The HTML file contains exploit code which will automatically run the EXE file, which is a downloader trojan, on vulnerable Windows systems. The downloader trojan contacts a large number of websites to retrieve the virus itself.

The worm harvests email addresses from files on the infected computer and has its own SMTP engine to construct outgoing messages.

Warning: since the Bagle source code was released on the Internet in early July 2004, please expect more Bagle variants to be released. As a pre-caution, please DELETE suspicious email with attachments, even from people you know. The current viruses spoof or forge the FROM address, pretending to be sent from someone else. If you try to open the attachment (even if it doesn't successfully open), your Windows computer will get infected.

W32/Bagle.aq@MM arrives in email with the following characteristics:

FROM: (spoofed or forged address)

SUBJECT: (blank)

BODY:

new price

ATTACHMENT (one of the following):

price.zip
price2.zip
price_new.zip
price_08.zip
08_price.zip
newprice.zip
new_price.zip
new__price.zip

The ZIP file contains PRICE.EXE and PRICE.HTML files.

When the HTML file is run on a vulnerable system, it will run the EXE file. When the EXE file is run (manually or automatically by the HTML file), it copies itself in the default Windows System directory as WINDIRECT.EXE. For example,

C:\WINNT\SYSTEM32\WINdirect.exe

It also drops a DLL file in this directory:

_dll.exe

The DLL file is injected into the Explorer.exe process, so its actions will appear to have originated from Explorer.exe.

The following Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe

Once the virus executable is downloaded and run by the downloader trojan, the virus copies itself into the Windows System directory as WINDLL.EXE. For example:

C:\WINNT\SYSTEM32\windll.exe

It also creates other files in this directory to perform its functions:

C:\WINNT\SYSTEM32\windll.exeopen
C:\WINNT\SYSTEM32\windll.exeopenopen

The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "erthgdr" = "C:\WINNT\SYSTEM32\windll.exe"

Additionally, the following Registry keys are added:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Ru1n

'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

It opens TCP port 80 and a random UDP port on the infected machine for remote connections.

It attempts to delete registry entries for several security and anti-virus products from these registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

deleting any values that contain these strings:

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

It attempts to copy itself in any folder with the characters SHAR in its folder name with the following file names:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

The SHAR folders are often used in peer-to-peer (P2P) filesharing programs such as KaZaa, Bearshare, Limeware, etc.

FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

If you need assistance, please contact the ITS Help Desk at 808-956-8883 (800-558-2669 toll free from neighbor islands) or email help@hawaii.edu.

W32/Mydoom.o@MM
July 26, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium on Watch
Minimum VirusScan DAT: 4381
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_127033.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.5, 7/26/2004)

July 26, 2004 9:00 am HST

A new variant of MyDoom has been released... W32/MyDoom.o@MM has been raised to MEDIUM on WATCH risk by McAfee due to increased prevalence. This email virus spreads with a spoofed (forged, pretending to be someone else) FROM address and attachment with .EXE, .COM, .SCR, .PIF, .BAT, .CMD and .ZIP file extension. If the attachment is a ZIP archive, the it may be double ZIPped, i.e. a .ZIP within a .ZIP.

The attachment's file extension may use a double extension and there may be multiple spaces between the file extensions to fool users.

The virus harvests email addresses from files (.doc, .txt, .htm, .html) on the infected computer and from any active Microsoft Outlook window. It uses its own SMTP engine to construct outgoing messages. It queries four search engines to harvest email addresses:

http://search.lycos.com

http://www.altavista.com

http://search.yahoo.com

http://www.google.com

The messages may appear to be a bounced message from a mail server with FROM addresses similar to mailer-daemon@(target_domain) or noreply@(target_domain).

The virus contains a remote access component, listening to TCP port 1034.

It also copies itself to folders with the strings USERPROFILE or yahoo.com in the folder name, commonly used by peer-to-peer applications.

As a pre-caution, please DELETE suspicious email with attachments, even from people you know. Do not even try to open the attachment. If you try to open the attachment (and it doesn't successfully open), your Windows computer will get infected.

W32/Mydoom.o@MM arrives in email with the following characteristics:

FROM: (spoofed, forged)

SUBJECT: (one of the following)

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

ATTACHMENT: (extension EXE, COM, SCR, PIF, BAT, CMD, ZIP)

Target email address as filename or one of the following:

README
INSTRUCTION
TRANSCRIPT
MAIL
LETTER
FILE
TEXT
ATTACHMENT
DOCUMENT
MESSAGE

If the W32/Mydoom.o@MM email appears to be a bounced message, it will have one of the following SUBJECT lines:

"Automatic Email Delivery Software"
"Bounced mail"
"MAILER-DAEMON"
"Mail Administrator"
"Mail Delivery Subsystem"
"Post Office"
"Returned mail"
"The Post Office"

with the following BODY text:
=======begin body text==========
Dear user of [TargetDomain],

We have received reports that your account was used to send a large amount of junk email messages during the last week. Probably, your computer had been compromised and now contains a hidden proxy server.

Please follow the instruction in the attached file in order to keep your computer safe.

Have a nice day,
[TargetDomain] user support team.
=======end body text================

Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:

C:\WINDOWS\JAVA.EXE

It also drops the file SERVICES.EXE (8,192 bytes) into this directory:

C:\WINDOWS\SERVICES.EXE

Note: there is a legitimate Windows system file in %WinDir%\System32 with filename SERVICES.EXE which must NOT be deleted. Make sure to check the file size.

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "JavaVM" = %WinDir%\JAVA.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "Services" = %WinDir%\SERVICES.EXE

The following Registry keys are also added:

HKEY_CURRENT_USER\Software\Microsoft\Daemon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

W32/Bagle.ai@MM
(aka W32.Beagle.ag@mm)
July 19, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4379
Minimum VirusScan scan engine: 4.3.40
For more information: http://vil.nai.com/vil/content/v_126798.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.4, 7/19/2004)

July 19, 2004 1:35 pm HST

McAfee released VirusScan DAT 4379 to detect W32/Bagle.ai@MM. Please update your VirusScan DAT as soon as possible using the manual "Update Now" method.

W32/Bagle.ai@MM spreads via email with a spoofed FROM address and attachment with .EXE, .SCR, .COM, .CPL, and .ZIP (password protected) file extension. If the attachment is a .ZIP file, the password will be contained in the body of the message. It harvests email addresses from files on the infected computer and has its own SMTP engine to construct outgoing messages.

Warning: since the Bagle source code was released on the Internet earlier this month, please expect more Bagle variants to be released. As a pre-caution, please DELETE suspicious email with attachments, even from people you know. If you try to open the attachment (even if it doesn't successfully open), your Windows computer will get infected.

W32/Bagle.ai@MM arrives in email with the following characteristics:

FROM: (spoofed address)

SUBJECT:

Re:

BODY:

>foto3 and MP3
>fotogalary and Music
>fotoinfo
>Lovely animals
>Animals
>Predators
>The snake
>Screen and Music

ATTACHMENT (one of the following):

MP3
Music_MP3
New_MP3_Player
Cool_MP3
Doll
Garry
Cat
Dog
Fish

ATTACHMENT extension (one of the following):

.EXE
.SCR
.COM
.CPL
.ZIP

If the attachment is a password-protected ZIP archive, the password is included in the message body.

BODY: (one of the following)

Password: (random number)
Pass - (random number)
Key - (random number)

The password-protected ZIP files may also contain a second, randomly-named benign file with extension .INI, .CFG, .TXT, .VXD, .DEF, and .DLL. These files contain random characters.

The virus copies itself in the default Windows System directory as WinXP.EXE. For example,

C:\WINNT\SYSTEM32\WinXP.exe

It also creates other files in the same directory to perform its functions:

%SysDir% \WinXP.exeopen
%SysDir% \WinXP.exeopen open
%SysDir% \WinXP.exeopen openopen
%SysDir% \WinXP.exeopen openopenopen

It adds the following Registry key to hook itself on system startup:

The worm attempts to terminate various security programs and other worms, i.e. Netsky. It opens a backdoor on TCP port 1080 and UDP port 1040 on the infected machine.

It attempts to delete registry entries for several security and anti-virus products from these registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

deleting any values that contain these strings:

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

It attempts to copy itself in any folder with the characters SHAR in its folder name with the following file names:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

W32/Bagle.ag@MM
(aka W32.Beagle.ac@mm)
July 19, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4378
Minimum VirusScan scan engine: 4.3.40
For more information: http://vil.nai.com/vil/content/v_126795.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.3, 7/19/2004)

July 19, 2004 8:15 am HST

McAfee has released DAT 4378 to detect W32/Bagle.ag@MM. Please update your VirusScan DAT as soon as possible using the manual "Update Now" method. Note: DAT 4378 detects the password-protected ZIP attachment for W32/Bagle.af@MM virus from last week.

W32/Bagle.ag@MM spreads via email with a spoofed FROM address and attachment with .EXE, .SCR, .COM, .CPL, and .ZIP (password protected) file extension. If the attachment is a .ZIP file, the password will be contained in the body of the message (plain text or image). It harvests email addresses from files on the infected computer and has its own SMTP engine to construct outgoing messages.

W32/Bagle.ag@MM arrives in email with the following characteristics:

FROM: (spoofed address)

SUBJECT (one of the following):

Password: %s

Pass - %s

Key - %s

Re:

foto3

fotogalary

fotoinfo

Lovely animals

Animals

Predators

The snake

Screen

BODY:

(blank) ATTACHMENT (one of the following):

foto3
foto2
foto1
Secret
Doll
Garry
Cat
Dog
Fish

ATTACHMENT extension (one of the following):

.EXE
.SCR
.COM
.CPL
.ZIP

If the attachment is a password-protected ZIP archive, the email has the password in the message body as a bitmap image:

BODY: (one of the following)

Password: (Image File)
Pass - (Image File)
Key - (Image File)
:)(Image File)

The password-protected ZIP files may also contain a second, randomly-named benign file with extension .INI, .CFG, .TXT, .VXD, .DEF, and .DLL. These files contain random characters.

The virus copies itself in the default Windows System directory as SYS_XP.EXE. For example,

C:\WINNT\SYSTEM32\sys_xp.exe

It also creates copies of itself (with garbage appended) in the same directory:

sys_xp.exeopen
sys_xp.exeopenopen

It adds the following Registry key to hook itself on system startup:

The worm attempts to terminate various security programs and other worms, i.e. Netsky. It opens a backdoor on TCP port 1080 on the infected machine.

These are the programs that it attempts to terminate:

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

It attempts to copy itself in any folder with the characters SHAR with the following file names:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

W32/Bagle.af@MM
(aka W32.Beagle.ab@mm)
July 15, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium on Watch
Minimum VirusScan DAT: 4377
Minimum VirusScan scan engine: 4.3.40
For more information: http ://vil.nai.com/vil/content/v_126792.htm
http://www.sophos.com/virusinfo/analyses/w32bagleaf.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ab@mm.html
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.2, 7/15/2004)

July 15, 2004 7:30 pm HST

McAfee has released DAT 4377 to detect W32/Bagle.af@MM. Please update your VirusScan DAT as soon as possible using the manual "Update Now" method.

W32/Bagle.af@MM spreads via email with a spoofed FROM address and attachment with .EXE, .SCR, .COM, .CPL, and .ZIP file extension. If the attachment is a .ZIP file, the password will be contained in the body of the message (plain text or image). It harvests email addresses from files on the infected computer.

W32/Bagle.af@MM arrives in email with the following characteristics:

FROM: (spoofed address)

SUBJECT (one of the following):

Re: Msg reply

Re: Hello

Re: Yahoo!

Re: Thank you!

Re: Thanks :)

RE: Text message

Re: Document

Incoming message

Re: Incoming Message

RE: Incoming Msg

RE: Message Notify

Notification

Changes..

Update

Fax Message

Protected message

RE: Protected message

Forum notify

Site changes

Re: Hi

Encrypted document

BODY (one of the following):

Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.

ATTACHMENT (one of the following):

Information
Details
text_document
Updates
Readme
Document
Info
MoreInfo
Message

ATTACHMENT extension (one of the following):

.exe
.scr
.com
.cpl
.zip

If the attachment is a password-protected ZIP archive, the email has the following characteristics:

SUBJECT: (one of the following)

Password:
Pass -
Password -

BODY: (one of the following)

For security reasons attached file is password protected. The password is
For security purposes the attached file is password protected. Password --
Note: Use password to open archive.
Attached file is protected with the password for security reasons. Password is
In order to read the attach you have to use the following password:
Archive password:
Password -
Password:

The password-protected ZIP files may also contain a second, randomly-named benign file with extension .INI, .CFG, .TXT, .VXD, .DEF, and .DLL. These files will contain random garbage characters.

The virus copies itself in the default Windows System directory as SYSXP.EXE. For example,

C:\WINNT\SYSTEM32\sysxp.exe

It also creates copies of itself (with garbage appended) in the same directory:

sysxp.exeopen
sysxp.exeopenopen

It adds the following Registry key to hook itself on system startup:

The worm attempts to terminate various security programs and other worms, i.e. Netsky. It opens a backdoor on TCP port 1080 and random UDP ports.

These are the programs that it attempts to terminate:

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

It attempts to copy itself in any folder with the characters SHAR with the following file names:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

W32/Bagle.ad@MM
(aka W32.Beagle.Y@mm)
July 5, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4373 (released 7/5/2004)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_126562.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.0, updated 7/5/2004)

July 5, 2004 3:00 pm HST

McAfee has raised the risk level of W32/Bagle.ad@MM to MEDIUM due to increased prevalence and media attention. McAfee VirusScan DAT 4373 detects this threat and has been updated on the UH repositories.

Please update your VirusScan DAT to 4373 as soon as possible using the manual "Update Now" method. The ITS mail server (mail.hawaii.edu) is scanning for this threat.

The worm includes a copy of its assember source code. Expect to see more Bagle variants released soon based on this source code, i.e.different port number used by backdoor, backdoor password, date of expiry, etc.

W32/Bagle.ad@MM spreads via email with a spoofed FROM address and attachment with .HTA, .VBS, .EXE, .SCR, .COM, .CPL, and .ZIP file extension. If the attachment is a .ZIP file, the password will be contained in the body of the message (plain text or image ). It harvests email addresses from files on the infected computer.

W32/Bagle.ad@MM arrives in email with the following characteristics:

SUBJECT (one of the following):

Changes..

Encrypted document

Fax Message

Forum notify

Incoming message

Notification

Protected message

Re: Document

Re: Hello

Re: Hi

Re: Incoming Message

RE: Incoming Msg

RE: Message Notify

Re: Msg reply

RE: Protected message

RE: Text message

Re: Thank you!

Re: Thanks :)

Re: Yahoo!

Site changes

Update

BODY (one of the following):

Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Here is the file.
Message is in attach
More info is in attach
Pay attention at the attach.
Please, have a look at the attached file.
Please, read the document.
Read the attach.
See attach.
See the attached file for details.
Your document is attached.
Your file is attached.

ATTACHMENT (one of the following):

Information
Details
text_document
Updates
Readme
Document
Info
MoreInfo
Message

ATTACHMENT extension (one of the following):

.hta
.vbs
.exe
.scr
.com
.cpl
.zip

The virus copies itself in the default Windows System directory as LOADER_NAME.EXE. For example,

It also creates copies of itself with garbage appended in the same directory:

loader_name.exeopen
loader_name.exeopenopen

It adds the following Registry key to hook itself on system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "reg_key " = "C:\WINNT\System32\loader_name.exe"

The worm attempts to terminate various security programs and other worms, i.e. Netsky. It opens a backdoor on TCP port 1234, which allows the infected computer to be an email relay.

It attempts to copy itself in any folder with the characters SHAR with the following file names:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

W32/Lovgate.ad@MM
July 2, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4372 (released 7/2/2004)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_126560.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.9, updated 7/2/2004)

July 2, 2004 3:20 pm HST

McAfee (note name change from NAI) has raised the threat level of W32/Lovgate.ad@MM to MEDIUM due to increased prevalence. VirusScan DAT 4372 has been released to detect this threat and posted to UH repositories. Please update your McAfee VirusScan DAT as soon as possible using the manual "Update Now"method.

This variant exploits the RPC Buffer Overflow vulnerability (MS03-026, superceded by MS03-039 patch). MS03-039 patch is available at http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx. Please make sure to patch your systems for this vulnerability.

W32/Lovgate.ad@MM is an email worm (152,064 bytes) with these characteristics:

drops a backdoor component (detected as BackDoor-AQJ)

attempts to copy itself to accessible or poorly secured remote shares (with weak passwords), scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.

creates a share on the victim machine (share name "MEDIA").

mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. The zipped archive contains a copy of the worm with a COM, EXE, PIF or SCR extension.

the worm replies to unread messages in Microsoft Outlook and Outlook Express inboxes and deletes the messages after responding to them.

performs companion virus infection of EXE files (replacing original file with a copy of itself, and renaming original with a .ZMX extension) on mapped network drives.

terminates processes associated with various AV and security products.

This variant also uses the RPC Interface Buffer Overflow vulnerability (MS03-026, superceded by the MS03-039 patch) in order to infect other machines on the network. MS03-039 patch is available at http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx.

EMAIL PROPAGATION

The virus responds to unread messages in Microsoft Outlook and Outlook Express inboxes and deletes the messages after responding to them.

Subject: Re: Original subject

Body:

======
original message body
======
Mail auto-reply:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.

> Get your FREE YAHOO.COM Mail now! <

It also constructs messages using its own SMTP engine.

Subject: (one of the following)

hi
hello
Hello
Mail transaction Failed
mail delivery system

Body: (one of the following)

Mail failed. For further assistance, please contact!
The message contains Unicode characters and has been sent as a binary attachment.
It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.

Attachment: (random strings with EXE, PIF, SCR, ZIP extensions)

NETWORK PROPAGATION

The worm attempts to connect to remote shares (IPC$ and ADMIN$), using a list of usernames and passwords it carries. If the worm is able to copy itself to remote shares, it attempts to execute itself remotely. It does this by copying itself as:

ADMIN$\SYSTEM32\NETMANAGER.EXE

and remotely executing it as a service. The service bears the following characteristics:

It will attempt to gain access to computers on the network by logging in as an Administrator and using a list of common or simple passwords.

It creates a network share, "Media," and drops the following files into C:\%Windir%\Media\

WinRAR.exe
Internet Explorer.bat
Documents and Settings.txt.exe
Microsoft Office.exe
Windows Media Player.zip.exe
Support Tools.exe
Window
Update.pif
Cain.pif
MSDN.ZIP.pif
autoexec.bat
findpass.exe
client.exe
i386.exe
winhlp32.exe
xcopy.exe
mmc.exe

RPC DCOM EXPLOIT

When the worm is initially executed it drops 2 files (61,440 bytes) into the %WinDir%\System32\ folder as:

SPOLLSV.EXE (detected as W32/Lovgate.x@MM).
NETMEETING.EXE (detected as W32/Lovgate.x@MM).

These files are FTP server components which run a script to download a file called HXDEF.EXE which is a copy of the worm itself. The worm is automatically executed after it has been downloaded.

The following Registry key is created to that Netmeeting.exe is executed at startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "Microsoft NetMeeting Associates, Inc." = NetMeeting.exe

SYMPTOMS

When the worm is executed, various files are dropped on the system. The following are copies of the worm (152,064 bytes):

%WinDir%\System32\IEXPLORE.EXE
%WinDir%\System32\KERNEL66.DLL
%WinDir%\System32\RAVMOND.exe
%WinDir%\System32\HXDEF.EXE
%WinDir%\System32\UPDATE_OB.EXE
%WinDir%\System32\TKBELLEXE.EXE
%WinDir%\SYSTRA.EXE
%WinDir%\SVCHOST.EXE.EXE
C:\COMMAND.EXE

The following DLLs are also dropped (all identical). This is the remote access component, (detected as BackDoor-AQJ):

%WinDir%\System32\MSJDBC11.DLL
%WinDir%\System32\MSSIGN30.DLL
%WinDir%\System32\ODBC16.DLL
%WinDir%\System32\LMMIB20.DLL

The following Registry keys are added in order to run the worm at system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\ CurrentVersion\Windows "run" = RAVMOND.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "Hardware Profile" = %SysDir%\HXDEF.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "WinHelp" = %SysDir%\IEXPLORE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "Program In Windows" = %SysDir%\IEXPLORE.EXE

The following Registry key is created so that the worm starts an additional Service.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ runServices "SystemTra" = %WinDir%\SYSTRA.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ runServices "COMM++System" = %WinDir%\SVCHOST.EXE

The following keys are added to run the backdoor component at system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "VFW Encoder/Decoder Settings" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "Protected Storage" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg

The backdoor component is also installed as two services on the victim machine, the services bearing the following characteristics:

BackDoor-AXJ
(aka Backdoor.Berbew (NAV))
June 25, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low-Profiled
Minimum VirusScan DAT: 4370 (released 6/25/2004)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_100488.htm

June 25, 2004

Media attention has been given to several commercial IIS websites being hacked recently to serve exploit script code that results in the new variant BackDoor-AXJ and other trojans being installed on victim computers. Users browsing the compromised websites, using Internet Explorer, get infected when unsolicited files are downloaded and executed on their computer.

For further details about vulnerable IIS servers and IE clients, see http://www.microsoft.com/security/incident/download_ject.mspx

Once running on the victim's computer, the trojan acts as a web proxy, can check remote server for updates, and logs cached passwords on the victim computer (for sending to the hacker).

This remote access trojan installs itself in the default Windows system directory (e.g. C:\WINNT\SYSTEM32) with a random 8-character filename and drops a DLL with a random 8-character filename. For example,

C:\WINNT\SYSTEM32\OQLCINEI.EXE (39,140 bytes - copy of trojan)
C:\WINNT\SYSTEM32\BAGMBBPJ.DLL (5,633 bytes - dropped DLL)

Two ports (exact port numbers vary between variants) are opened on the victim machine. One port is used for the web proxy, the other for communication. Ports observed in samples include: 7714, 8546, 12334, and 12324.

Notification is sent to the hacker via HTTP, sending data to a remote PHP script. Data includes IP of the computer and port numbers opened. An "identification string" is also sent.

The following registry key is created so the trojan runs when you start Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79FA9088-19CE-715D-D85A-216290C5B738}\ InProcServer32

Value (Default) is added to the registry key and set to the dropped .DLL filename.
Value "ThreadingModel"="Apartment" is also added to the registry key.

Value "Web Event Logger"="{79FA9088-19CE-715D-D85A-216290C5B738}" is added to the following registry key:

so the DLL file is loaded when you start Windows. The trojan patches the contents of the dropped DLL file by writing its own filename into it so the DLL file knows the name of the executable file and can run it.

It attempts to access the password cache (includes modem and dial-up passwords, URL passwords, share passwords, and others) on the local computer.

The Trojan may use the following files to log the passwords and to store downloaded configuration data:

It attempts to intercept any entered data in active windows. It intercepts contents from the clipboard. It may target Internet bank accounts to steal login information.

To effectively intercept entered data, the Trojan wants a user to specifically enter the login details. For this purpose, it attempts to disable password caching and to disallow Autocomplete, by setting the following registry values:

"FormSuggest Passwords"="yes"
"FormSuggest PW Ask"="yes"
"Use FormSuggest"="yes"

in the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

Exploit-MhtRedir.gen
June 25, 2004

JS/Exploit-DialogArg.bJ
June 25, 2004

W32/Zafi.b@MM
June 14, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4366 (released 6/14/2004)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_126242.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.8, updated 6/14/2004)

June 14, 2004 9:00 a.m. HST - NAI has raised the risk of W32/Zafi.b@MM to MEDIUM due to increased prevalence.

W32/Zafi.b@MM spreads via mass email with .EXE, .COM, or .PIF attachments (12,800 bytes) and P2P (peer-to-peer) filesharing, copying itself to folders with SHARE or UPLOAD in the folder name. The worm overwrites executables in directories of anti-virus an d personal firewall software with a copy of itself. It terminates processes with strings containing REGEDIT, MSCONFIG, and TASK.

The infected email message arrives with a spoofed FROM address. It uses its own SMTP engine to construct messages,in various languages, depending on the top level domain of the recipient's address. For example, user with a .COM email address will receive a message in English, while someone with a .DE email address will receive a message in German.

Some English examples are:

To: jennifer
Subject: You`ve got 1 VoiceMessage!
Attachment: "link.voicemessage.com.listen.index.php1Ab2c.pif"
Body:
Dear Customer! You`ve got 1 VoiceMessage from voicemessage.com website! Sender: You can listen your Virtual VoiceMessage at the following link: http://virt.voicemessage.com/index.listen.php2=35affv or by clicking the attached link. Send VoiceMessage! Try our new virtual VoiceMessage Empire! Best regards: SNAF.Team (R).

To: jennifer
Subject: Don`t worry, be happy!
Attachment: "www.ecard.com.funny.picture.index.nude.php356.pif"
Body:
Hi Honey! I`m in hurry, but i still love ya... (as you can see on the picture) Bye - Bye:

To: david
Subject: Check this out kid!!!
Attachment: "jennifer the wild girl xxx07.jpg.pif"
Body:
Send me back bro, when you`ll be done...(if you know what i mean...) See ya,

In addition to these messages, the worm may also arrive with a random attachment name using one of the following extensions: .COM, .EXE, .PIF.

The worm harvest email messages from the local hard drive and stores them in five files in the SYSTEM32 folder using random names and the .DLL file extension.

C:\WINNT\system32\kenbdplk.dll
C:\WINNT\system32\zibscdes.dll
C:\WINNT\system32\qfafsxoz.dll
C:\WINNT\system32\zhzukrhp.dll
C:\WINNT\system32\sdxsuwxt.dll

References to these files are stored in the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb

When executed, the worm copies itself twice to the default Windows SysTEM32 folder using a random name with a .EXE and .DLL extension.

For example,
C:\WINNT\system32\jrbtgmqi.exe
C:\WINNT\system32\enfrbatm.dll

It creates a Registry key so the file gets executed every time the system starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "_Hazafibb" = %windir%\System32\jrbtgmqi.exe

P2P Propagation

The worm copies itself to directories on the c: drive containing the string SHARE or UPLOAD using the following filenames:

Total Commander 7.0 full_install.exe

winamp 7.0 full_install.exe

Windows ME/XP users (special removal instructions):
Windows ME/XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must temporarily disable the System Restore Utility to remove the infected files from the C:\_Restore folder. See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to dis able System Restore. You may enable System Restore once the viruses have been cleaned or deleted.

W32/Lovgate.ab@MM
May 18, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4361 (released 5/18/2004)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_125301.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.7, updated 5/18/2004)

March 18, 2004 6:30 pm HST - NAI has raised the risk of W32/Lovgate.ab@MM to MEDIUM due to increased prevalence.

W32/Lovgate.ab@MM is a mass mailing and network worm with these characteristics:

drops a backdoor component

attempts to copy itself to remote shares with weak passwords, scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.

creates a share on the victim machine (share name "MEDIA").

mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. Additionally, mails may be sent in reply to email messages found on the victim machine (MAPI).

performs companion virus infection of EXE files (replacing original file with a copy of itself, and renaming original with a .ZMX extension).

terminates processes associated with various AV and security products

To help protect against the spread of W32/Lovgate and similar worms:

disable file and printer sharing, unless you need to share resources
all shares need a strong password (i.e. combination of upper, lower case, numbers and special characters); do not leave the password blank
map network drives only as needed
limit/specify which accounts can connect to your shares

Email Component

W32/Lovgate.ab@MM arrives in email with the following characteristics:

FROM: spoofed or using harvested email addresses or using random characters or constructed from a list of common first names with the domain attached.

For example,

adam
alex
alice
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

Attachment: The worm may be attached with one of the following file extensions:

Additionally, the attachment may be a copy of the worm within a ZIP archive (with either a RAR or ZIP extension). In this case, the worm within the archive may have a double extension, which may contain many spaces (eg. .HTM .EXE).

*** The worm can also reply to unread messages in Microsoft Outlook and Outlook Express inboxes (using MAPI). It deletes the original messages after replying to them. These messages have the following characteristics:

Subject: Re: (original subject)

Attachment: Can be any of the following:

the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe

Symptoms
When the worm is executed, it copies itself (108,554 bytes) on the local hard drive as:

%SysDir%\IEXPLORE.EXE
%SysDir%\KERNEL66.DLL
%SysDir%\RAVMOND.exe
%WinDir%\SYSTRA.EXE
C:\COMMAND.EXE

The following DLLs (the remote access component) are dropped:

%SysDir%\MSJDBC11.DLL
%SysDir%\MSSIGN30.DLL
%SysDir%\ODBC16.DLL
%SysDir%\LMMIB20.DLL

The following Registry keys are added in order to run the worm at system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\ CurrentVersion\Windows "run" = RAVMOND.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "Program In Windows" = %SysDir%\IEXPLORE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ runServices "SystemTra" = %WinDir%\SYSTRA.EXE

The following keys are added to run the backdoor component at system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "VFW Encoder/Decoder Settings" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "Protected Storage" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg

The backdoor component is also installed as two services on the victim machine, the services bearing the following characteristics:

Service 1
Display name: _reg
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic

Service 2
Display name: Windows Management Protocol v.0 (experimental)
Description: Windows Advanced Server. Performs scheduled scans for LANguard.
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic

The following Registry keys house the services information:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Windows Management Protocol v.0 (experimental)

A copy of the worm in a ZIP archive (which may itself have a .ZIP or .RAR extension) may also be dropped to the root of local and mapped drives. The archive will contain a copy of the worm with a COM, EXE, PIF or SCR extension. The archive may have variou s filenames, for example:

password
email
book
letter
bak
work
Important

Peer-to-Peer (P2P) Folder Propagation
The worm copies itself to directories using shared folders commonly used by P2P applications such as KaZaa and Limeware. It copies itself using the following filenames:

Thank you.doc.exe
3D Flash Animator.rar.bat
SWF Browser2.93.txt.exe
Download.exe
Panda Crack.zip.exe
WinRAR V3.2.0 Beta 2.exe
Swish2.00.pif
AAdobe Photoshop7.0 creak.pif
You_Life.JPG.pif
CloneCD crack.exe
WinZip v9.0 Beta Build 5480 crack.exe
Real-DRAW PRO v3.10.exe
Star Wars Downloader.exe
HyperSnap-DX v5.20.01.exe
Adobe Photoshop6.0.zip.exe
HyperSnap-DX v4.51.01.exe

Network Propagation
The worm attempts to connect to remote shares (IPC$ and ADMIN$), using a list of usernames and passwords it carries. If the worm is able to copy itself to remote shares, it attempts to execute itself remotely. It does this by copying itself as:

ADMIN$\SYSTEM32\NETMANAGER.EXE

and remotely executing it as a service. The service bears the following characteristics:

Display name: Windows Management NetWork Service Extensions
ImagePath: NetManager.exe -exe_start
Startup: Automatic

The worm replaces EXE files on mapped network drives with a copy of itself and renames the original file with a .ZMX extension.

Windows ME/XP users (special removal instructions):
Windows ME/XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must temporarily disable the System Restore Utility to remove the infected files from the C:\_Restore folder. See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to dis able System Restore. You may enable System Restore once the viruses have been cleaned or deleted.

W32/Bagle.ab@MM
(aka W32.Beagle.x@MM)
May 10, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4359 (released 5/10/2004)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_125089.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.6, updated 5/10/2004)

NAI has raised the threat level of new variant, W32/Bagle.ab@MM, to MEDIUM to due increased prevalence.

W32/Bagle.ab@MM arrives via email with a spoofed FROM address and various possible attachments (with garbage appended). It has its own SMTP engine to construct email messages and harvests email addresses from files on the local system.

It opens TCP port 2535 on the victim computer, allowing remote access.

The worm is also spread via files on shared folders with the phrase SHAR used in peer-to-peer filesharing applications such as KaZaa, Bearshare, Limeware, etc.

When the worm is executed, a false error message will be displayed:

This is a mass-mailing worm with the following characteristics:

contains its own SMTP engine to construct outgoing messages

harvests email addresses from the victim machine

the From: address of messages is spoofed

attachment can be a password-protected zip file, with the password included in the message body.

contains a remote access component (TCP port 2535 is opened)

copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

The worm arrives in email with these characteristics:

FROM: (spoofed)

SUBJECT: (one of the following)

Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
New changes
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document

Body Text: Various strings constructed by the worm's own SMTP engine

If the attachment is a ZIP file, then the Body will contain one of the following messages:

For security reasons attached file is password protected. The password is
For security purposes the attached file is password protected. Password --
Note: Use password
Attached file is protected with the password for security reasons. Password is
In order to read the attach you have to use the following password:
Archive password:
Password
Password:

followed by a copy of an image file dropped as drvddll.exeopenopen.

If the attachment is not a ZIP file, the Body will be blank.

ATTACHMENT: (one of the following)

Information
Details
text_document
Readme
Document
Info
the_message
Details
MoreInfo
Message
You_will_answer_to_me
Half_Live
Counter_strike
Loves_money
the_message
Alive_condom
Joke
Toy
Nervous_illnesses
Manufacture
You_are_dismissed
Your_complaint
Your_money
Smoke
I_search_for_you

with one of the following file extensions:

Executable, using one of the following file extensions:
- exe
- scr
- com
- cpl
Executable dropper, CPL file with .CPL file extension.

The executable using an icon that looks like an envelope.

The CPL file uses an icon that looks like 2 gears.

The virus copies itself in the Windows System directory as DRVDDLL.EXE.

For example, c:\winnt\system32\drvddll.exe.

It also creates other files in the Windows System directory:

DRVDDLL.EXEOPEN (copy of the worm)
DRVDDLL.EXEOPENOPEN (copy of the worm)

A copy of the worm, CPLSTUB.EXE, is dropped in the Windows directory.

The worm adds the following Registry key to hook the system on startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "drvddll.exe" = C:\WINNT\SYSTEM32\drvddll.exe

The worms attempts to terminate anti-virus, security and Windows programs, such as regedit.exe.

The virus listens on TCP port 2535 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites (mostly in Germany).

It copies files (containing the worm) to folders with the phrase SHAR, which is commonly used in peer-to-peer filesharing programs like KaZaa, Bearshare, Limeware, etc.

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

For Windows ME/XP users:

Windows ME/XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:\_Restore folder. See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

W32/Gaobot.worm.ali
May 4, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4358 (released 5/5/2004)
Minimum VirusScan scan engine: 4.2.40
For more information: http://vil.nai.com/vil/content/v_125006.htm

W32/Gaobot.worm.ali appears to be the first Gaobot (aka Agobot) variant that exploits the MS04-011 (LSASS vulnerability). Although this virus is rated LOW (depends on an IRC server which is no longer available), it is presumed that other more functional v ariants will soon follow. DAT 4358 is scheduled for release on May 5, 2004.

Note: this variant has been detected at one of the UH Community Colleges and UH Manoa and may be confused with the Sasser worm (which also shuts down and restarts computers).

*** Important: if you have not already patched your Windows system (Windows NT, Windows 2000, Windows XP, Windows server 2003), please do so ASAP. Go to http://windowsupdate.microsoft.com, click on scan for updates, and install all critical updates. Windows Update should be done regularly, at least once or twice a month.

You can also get the MS04-011 (KB835732) patch from http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx.

Unless you patch your Windows, your system will get infected (or reinfected even after you clean your virus infection). You MUST patch your system; running Stinger or scanning all files on your hard drive is NOT sufficient.

For maximum protection against the Gaobot family (more than 900 variants), users are recommended to:

use the latest engine/DATs combination

ensure the scanning of compressed files is enabled

keep Windows systems patched by using Windows Update ensure weak username/passwords are not used (use upper, lower case, numbers and special characters; don't use dictionary passwords)

run a personal desktop firewall application

The virus contains lots of remote access functionality, including:

Create/Remove services
Denial of service attack
FTP/HTTP functions (upload, download files, etc)
IRC functions
Retrieve system information (RAM, CPU, Disk Space)
Secure/insecure Windows shares
Shutdown/reboot/logoff computer
Sniffer
Steal CD and product keys for various products
Terminate running processes

When run, this virus copies itself to the Windows System directory (c:\winnt\system32 or c:\windows\system32) as msiwin84.exe and creates several registry run keys in order to load itself at system startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "Microsoft Update" = msiwin84.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunServices "Microsoft Update" = msiwin84.exe

The virus attempts to run a speed test for Internet connectivity by contacting various web sites.

The virus attempts to connect to an Internet Relay Chat server (TCP Port 6667) to allow for a remote attack to send commands to the infected system:

malalala.bin-laden.cc

This threat is reliant upon connecting to this IRC server, and receiving spread commands in order to propagate. At the time of this writing, the DNS entry for this domain has been set to 0.0.0.0, therefore crippling this threat.

Infected systems list on two random TCP ports, which are control ports for attackers to exploit.

The local HOSTS file (%SysDir%\drivers\etc\hosts) is overwriten to block access to various anti-virus and security web sites (note this file is detected with current DAT files as Qhosts.apd).

It also attempts to terminate anti-virus, security, other viruses and Windows programs, e.g. regedit.exe.

The worm spreads via accessible or poorly secured network shares. It has a list of commonly used username/password combinations.

For Windows ME/XP users:

Windows ME/XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:\_Restore folder. See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

W32/Sasser.worm.d
May 4, 2004

Platform: Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4357 (released 5/4/2004)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_125012.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.5, updated 5/4/2004)

May 4, 2004 - NAI has raised the risk of W32/Sasser.worm.d to MEDIUM due to increased prevalence.

W32/Sasser.worm.d is an Internet worm that spreads via the network, exploiting unpatched Windows systems with the vulnerability described in Microsoft Security Bulletin MS04-011 ( KB835732). This worm doesn't spread via email. No user intervention is required to become infected or to propagate the worm further. The worm instructs vulnerable systems to download and the execute the viral code.

Windows NT, Windows 2000, Windows XP and Windows server 2003 users must patch their system for the MS04-011 LSASS vulnerability to prevent infection (and reinfection). Go to http://windowsupdate.microsoft.com, scan for updates, and install all critical updates. The patch is also available at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx.

Note: the Sasser worm can run on (but not infect) Windows 95/98/ME computers. These systems can be used to infect other vulnerable systems.

W32/Sasser.worm.d functions similarly as the original variant, with the following exceptions:

This variant spreads with the filename SKYNETAVE.EXE (16,384 bytes)

It sends ICMP echo packets to discover potential victims

It creates a remote shell on TCP Port 9995 rather than 9996

The worm spreads with filename skynetave.exe (16,384 bytes). It copies itself to the Windows directory and creates a registry key to load itself on startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "skynetave.exe" = C:\WINDOWS\skynetave.exe

The worm scans random ip addresses for exploitable systems, using successive TCP ports starting at 1068. When it finds a vulnerable system, it causes a buffer overflow in LSASS.EXE. It creates a remote shell on TCP port 9995 and creates an FTP script name d cmd.ftp on the remote host and executes it. The FTP script instructs the target system to download and execute the worm (filename #_upd.exe) from the infected host. The infected host accepts FTP traffic on TCP port 5554.

A file named win2.log is created on the root of the C: drive. This file contains an IP address and the number of computers infected.

Copies of the worm are created in the Windows System directory as #_up.exe where # is a 4- or 5-digit number.

Examples

c:\WINDOWS\system32\26347_up.exe
c:\WINDOWS\system32\5157_up.exe

A side-effect of the worm is for LSASS.EXE to crash; by default the system will reboot after the crash occurs.

You may get the following windows when LSASS.EXE crashes:

The worm spawns multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets. The worm scans private IPs such as 10.0.0.0 and 192.168.0.0 only if they are part of the local subnet. The des tination port is TCP 445.

For Windows XP users:

Windows XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the Sy stem Restore Utility to remove the infected files from the C:\_Restore folder. See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Res tore.

W32/Sasser.worm.b
May 3, 2004

Platform: Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4356 (released 5/2/2004)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_125008.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.4, updated 5/2/2004)

May 2, 2004 - NAI has raised the risk of W32/Sasser.worm.b to MEDIUM due to increased prevalence.

W32/Sasser.worm.b is an Internet worm that spreads via the network, exploiting unpatched Windows systems with the vulnerability described in Microsoft Security Bulletin MS04-011 ( KB835732). This worm doesn't spread via email. No user intervention is required to become infected or to propagate the worm further. The worm instructs vulnerable systems to download and the execute the viral code.

Windows NT, Windows 2000, Windows XP and Windows server 2003 users must patch their system for the MS04-011 vulnerability to prevent infection (and reinfection). Go to http://windowsupdate.microsoft.com, sc an for updates, and install all critical updates. The patch is also available at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx.

Note: the Sasser worm can run on (but not infect) Windows 95/98/ME computers. These systems can be used to infect other vulnerable systems.

The worm spreads with filename aserve2.exe (15,872 bytes). It copies itself to the Windows directory and creates a registry key to load itself on startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "avserve2.exe" = C:\WINDOWS\avserve2.exe

The worm scans random ip addresses for exploitable systems, using successive TCP ports starting at 1068. When it finds a vulnerable system, it causes a buffer overflow in LSASS.EXE. It creates a remote shell on TCP port 9996 and creates an FTP script name d cmd.ftp on the remote host and executes it. The FTP script instructs the target system to download and execute the worm (filename #_upd.exe) from the infected host. The infected host accepts FTP traffic on TCP port 5554.

A file named win2.log is created on the root of the C: drive. This file contains an IP address.

Copies of the worm are created in the Windows System directory as #_up.exe.

Examples

c:\WINDOWS\system32\11583_up.exe
c:\WINDOWS\system32\16913_up.exe
c:\WINDOWS\system32\29739_up.exe

A side-effect of the worm is for LSASS.EXE to crash; by default the system will reboot after the crash occurs.

You may get the following windows when LSASS.EXE crashes:

The worm spawns multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets. The destination port is TCP 445.

For Windows XP users:

Windows XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the Sy stem Restore Utility to remove the infected files from the C:\_Restore folder. See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Res tore.

W32/Sasser.worm.a
May 3, 2004

Platform: Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4355 (released 5/1/2004)
Updated VirusScan DAT: 4356 (released 5/2/2004)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_125007.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.4, updated 5/2/2004)

May 1, 2004 - NAI raised the risk of W32/Sasser.worm.a to MEDIUM due to increased prevalence.

W32/Sasser.worm.a is an Internet worm that spreads via the network, exploiting unpatched Windows systems with the vulnerability described in Microsoft Security Bulletin MS04-011 ( KB835732). This worm doesn't spread via email. No user intervention is required to become infected or to propagate the worm further. The worm instructs vulnerable systems to download and the execute the viral code.

Windows NT, Windows 2000, Windows XP and Windows server 2003 users must patch their system for the MS04-011 vulnerability to prevent infection (and reinfection). Go to http://windowsupdate.microsoft.com, sc an for updates, and install all critical updates. The patch is also available at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx.

Note: the Sasser worm can run on (but not infect) Windows 95/98/ME computers. These systems can be used to infect other vulnerable systems.

The worm spreads with filename aserve.exe (15,872 bytes). It copies itself to the Windows directory and creates a registry key to load itself on startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe

The worm scans random ip addresses for exploitable systems, using successive TCP ports starting at 1068. When it finds a vulnerable system, it causes a buffer overflow in LSASS.EXE. It creates a remote shell on TCP port 9996 and creates an FTP script name d cmd.ftp on the remote host and executes it. The FTP script instructs the target system to download and execute the worm (filename #_upd.exe) from the infected host. The infected host accepts FTP traffic on TCP port 5554.

A file named win.log is created on the root of the C: drive. This file contains the IP address of the local host.

Copies of the worm are created in the Windows System directory as #_up.exe.

Examples

c:\WINDOWS\system32\11583_up.exe
c:\WINDOWS\system32\16913_up.exe
c:\WINDOWS\system32\29739_up.exe

A side-effect of the worm is for LSASS.EXE to crash; by default the system will reboot after the crash occurs.

You may get the following windows when LSASS.EXE crashes:

W32/Netsky.ab@MM
April 28, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4354 (released 4/28/2004 9:25 am HST)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_124873.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.2, updated 4/28/2004)

W32/Netsky.ab@MM variant has been raised to MEDIUM risk due to increased prevalence.

W32/Netsky.ab@MM is spread via email, arriving from a spoofed or forged FROM address, and attachment with a PIF extension. Outgoing email messages are constructed using the virus' SMTP engine. Email addresses are harvested from files on the local computer .

W32/Netsky.ab@MM arrives in email with the following characteristics:

FROM: (spoofed, using one of the harvested email addresses)

SUBJECT: (one of the following)

Correction

Hurts

Privacy

Password

Wow

Criminal

Pictures

Text

Money

Stolen

Found

Numbers

Funny

Only

love?

samples

Picture

Letter

Question

Illegal

BODY: (one of the following)

Please use the font arial!
How can I help you?
Still?
I've your password.
Take it easy!
Why do you show your body?
Hey, are you criminal?
Your pictures are good!
The text you sent to me is not so good!
True love letter?
Do you have no money?
Do you have asked me?
I've found your creditcard.
Check the data!
Are your numbers correct?
You have no chance...
Wow! Why are you so shy?
Do you have more samples?
Do you have more photos about you?
Do you have written the letter?
Does it hurt you?
Please do not sent me your illegal stuff again!!!

ATTACHMENT: (PIF extension with one of the following filenames)

corrected_doc.pif
hurts.pif
document1.pif
passwords02.pif
image034.pif
myabuselist.pif
your_picture01.pif
your_text01.pif
your_letter.pif
your_bill.pif
my_stolen_document.pif
visa_data.pif
pin_tel.pif
your_text.pif
loveletter02.pif
all_pictures.pif
your_letter_03.pif
your_picture.pif
abuses.pif

The virus installs itself as CSRSS.EXE in the default Windows directory, e.g. c:\windows or c:\winnt.

It adds a Registry key to hook the system on startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "BagleAV" = %WinDir%\CSRSS.EXE

It sends DNS queries to one of the following hard-coded IP addresses:

212.44.160.8
195.185.185.195
151.189.13.35
213.191.74.19
193.189.244.205
145.253.2.171
193.141.40.42
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
212.185.253.70
212.185.252.73
62.155.255.16
194.25.2.134
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
212.7.128.162

W32/Bagle.aa@MM
(aka W32.Beagle.x@MM)
April 28, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium on Watch
Minimum VirusScan DAT: 4354 (released 4/28/2004 9:25 am HST)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_124875.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.2, updated 4/28/2004)

NAI has raised the threat level of new variant, W32/Bagle.aa@MM, to MEDIUM on Watch to due increased prevalence.

W32/Bagle.aa@MM arrives via email with a spoofed FROM address and various possible attachments (with garbage appended). It has its own SMTP engine to construct email messages and harvests email addresses from files on the local system.

The worm is also spread via files on shared folders with the phrase SHAR used in peer-to-peer filesharing applications such as KaZaa, Bearshare, Limeware, etc.

When the worm is executed, a false error message will be displayed:

The email message will have the following characteristics:

FROM: (spoofed)

SUBJECT: (one of the following)

Re: Msg reply

Re: Hello

Re: Yahoo!

Re: Thank you!

Re: Thanks :)

RE: Text message

Re: Document

Incoming message

Re: Incoming Message

RE: Incoming Msg

RE: Message Notify

Notification

Changes..

New changes

Hidden message

Fax Message Received

Protected message

RE: Protected message

Forum notify

Site changes

Re: Hi

Encrypted document

Body Text: Various strings constructed by the worm's own SMTP engine

If the attachment is a ZIP file, then the Body will contain one of the following messages:

For security reasons attached file is password protected. The password is
For security purposes the attached file is password protected. Password --
Note: Use password
Attached file is protected with the password for security reasons. Password is
In order to read the attach you have to use the following password:
Archive password:
Password
Password:

followed by a copy of an image file dropped as drvddll.exeopenopen.

If the attachment is not a ZIP file, the Body will be blank.

Attachment: (one of the following)

Information
Details
text_document
Readme
Document
Info
the_message
Details
MoreInfo
Message
You_will_answer_to_me
Half_Live
Counter_strike
Loves_money
the_message
Alive_condom
Joke
Toy
Nervous_illnesses
Manufacture
You_are_dismissed
Your_complaint
Your_money
Smoke
I_search_for_you

with one of the following file extensions:

Executable, using one of the following file extensions:
- exe
- scr
- com
- cpl
Executable dropper, CPL file with .CPL file extension.

The executable using an icon that looks like an envelope.

The CPL file uses an icon that looks like 2 gears.

A file named CPLSTUB.EXE (copy of the worm) is dropped in the default Windows directory, e.g. c:\windows or c:\winnt.

The following Registry key is added to hook system startup:

The worm attempts to terminate anti-virus, security and Windows programs such as REGEDIT.EXE . See http://vil.nai.com/vil/content/v_124875.htm for complete list.

It opens TCP port 2535 on the victim's computer and sends notification to the virus author that the computer is ready to accept remote commands, by calling a PHP script on remote web sites (mostly in Germany).

It creates copies of itself in folders with the phrase shar (commonly used with peer-to-peer filesharing like KaZaa). The infected files will have the following filenames:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

For Windows ME/XP users:

Windows ME and XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:\_Restore folder. See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

W32/Bagle.z@MM
(aka W32.Beagle.W@MM)
April 26, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4353 (released 4/26/2004 11:50 am HST)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_122415.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.1, updated 4/26/2004)

NAI has raised the threat level of new variant, W32/Bagle.z@MM, to MEDIUM to due increased prevalence. Please update your McAfee VirusScan DAT to 4353 (released 4/26/04 11:50 am HST), using the manual updater method described at http://www.hawaii.edu/anti virus/howtoupdate.html.

W32/Bagle.z@MM arrives via email with a spoofed FROM address and various possible attachments (with garbage appended). It has its own SMTP engine to construct email messages and harvests email addresses from files on the local system.

The worm is also spread via files on shared folders with the phrase SHAR used in peer-to-peer filesharing applications such as KaZaa, Bearshare, Limeware, etc.

When the worm is executed, a false error message will be displayed:

The email message will have the following characteristics:

FROM: (spoofed)

It may use these address strings:

lizie@

annie@

ann@

christina@

secretGurl@

jessie@

christy@

SUBJECT: (one of the following)

Hello!
Hey!
Let's socialize, my friend!
Let's talk, my friend!
I'm bored with this life
Notify from a known person ;-)
I like you
I just need a friend
I'm a sad girl...
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
Re: Incoming Fax
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Request response
Site changes
Re: Hi
Encrypted document

Body Text: Various strings constructed by the worm's own SMTP engine

Part 1:

I study at school, I like to spend time cheerfully even if not all so well, I hompe and trust, that all bad when nibud will pass and necessarily nastanet there would be a desire.
I like to feel protected, to understand, that near to me the man, which both in sex, and in life knows what to do. It is possible to fall in love with such the man for ever.
Cometime I write a poem, play the gitar. I love a traveling, I like a romantice and I want to meet, comeday, my big love!
I am kind, fair, careful, gentle also want to create family. I love animal (cats, dogs), the literature, theatre, cinema, music, walks in park
I very much love productive leisure, to prepare for new exotic dishes, at leisure to leave with friends on the nature, to float, I like to go for a drive on mountain skiing, to visit excursions, travel. Very easy going.
I have recently got demobilize from army and also I am going to act in a higher educational institution
Searching for the right person,for real man, who will really cares and love me.
I am a honest, kind,loving,with good sense of humor...etc.,looking for true love... or maybe for pen friend.I like cats
I am looking for a serious relationship. I am NOT interested in flirt and short-term love adventure.
I love, as the good company, and I dream about romantic appointment at candles with loved. I still believe in love.
I like an active life... and interesting people..
i am honest, responsible, romantic person. iwould like to find my only love,to find my destiny.
I'm a young lady of 20 years old i'd like to find my second part!!!
I am simple girl who are looking for serious relation with responsible and confident man. I am ready to give all my love and carering for a right person who is going to love and respect me
I am a beautiful, sexual girl with very big ambitions and dreams. I can make happy anyone man...
I am a student. I'm studying international relationships. I would like to find an interesting and active man for serious relations. Sitting at home it is not for me. I like to go out to the theater, cinema, and nightclubs.
I love productive leisure, to travel, communicate with friends.
I very much love new acquaintances, I love music, meetings with friends. I go on night clubs, except for parties I sometimes visit theatres and I love cinema. In general I only shall be glad to new acquaintance and class dialogue...
I'm so bored, let me talk with you...
You are my prince :-)
You are cool :-)

Part 2:

Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
See the attached file for details.
Message is in attach
Here is the file.
For more information see the attached file.
Attached file will tell you everything.
For details see the attach.
Attached file tells everything.
Further details are in attach.

Part 3:

Sincerely,
Best wishes,
Yours,
Have a good day,
Cheers,
Kind regards,

If the attachment is a password-protected ZIP file, one of the following is attached to the email:

For security reasons attached file is password protected. The password is [reference to image file]
For security purposes the attached file is password protected. Password -- [reference to image file]
Note: Use password [reference to image file] to open archive.
Attached file is protected with the password for security reasons. Password is [reference to image file]
In order to read the attach you have to use the following password: [reference to image file]
Archive password: [reference to image file]
Password - [reference to image file]
Password: [reference to image file]

-------------------------------------
Here is a sample message:

Hello [NAME],

[IMAGE]
i am honest, responsible, romantic person. iwould like to find my only love,to find my destiny.

For more information see the attached file.

Attached file is protected with the password for security reasons.
Password is [IMAGE]

Best wishes, Annie

-------------------------------------
Attachment: (one of the following)

a script dropper with HTA or VBS extension
a password-protected ZIP file (with password in the message body)
an executable file with EXE, SCR, COM or CPL extensions
- Information
- Details
- Readme
- Document
- Info
- Details
- MoreInfo
- Message
executable dropper, CPL file with .CPL extension

The executable using an icon that looks like 3 cherries.

The CPL file uses an icon that looks like 2 gears.

The virus copies itself into the Windows System directory as drvsys.exe. For example:

It also creates other files in this directory to perform its functions:

drvsys.exeopen (Copy of the worm)
drvsys.exeopenopen (Copy of the worm)

The following Registry key is added to hook system startup:

The worm attempts to terminate anti-virus, security and Windows programs such as REGEDIT.EXE .

It opens TCP port 2535 on the victim's computer and sends notification to the virus author that the computer is ready to accept remote commands, by calling a PHP script on remote web sites.

It creates copies of itself in folders with the phrase shar (commonly used with peer-to-peer filesharing like KaZaa). The infected files will have the following filenames:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe

W32/Netsky.s@MM
April 6, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4348 (released 4/6/2004 9:00 am HST)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_101156.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.0, updated 4/6/2004)

W32/Netsky.s@MM is spread via mass email with a spoofed FROM address and attachment with a .PIF extension (18,432 bytes). It gathers email addresses from files on drives C: through Z: (excluding CD-ROM drives). It has a backdoor component, opening TCP por t 6789 on the victim's computer, which facilitates downloading and execution of files. If the system date is between April 14-23, the worm launches a denial of service (DoS) attack on several web sites.

The email arrives with the following characteristics:

From: (spoofed or forged)

Subject: (one of the following):
Body: various message bodies constructed from strings within the worm, using its own SMTP engine

The first part is one of the following:
- Hi!
- Hello!
The second part is one of the following, where %s is the attachment name:
- Note that I have attached your document.
- My %s.
- The %s.
- I have spent much time for the %s.
- I have spent much time for your document.
- Your %s.
- Please notice the attached %s.
- Please notice the attached document.
- Please read quickly.
- For more details see the attached document.
- For more information see the attached document.
- Approved, here is the document.
- I have found the %s.
- My %s is attached.
- Your %s is attached.
- Please, %s.
- Your file is attached to this mail.
- Please read the attached document.
- Please have a look at the attached document.
- See the document for details.
- Here is the document.
- The requested %s is attached!
- I have sent the %s.
- Please see the %s.
- The %s is attached.
- Here is the %s.
- Please have a look at the %s.
- Please read the %s.
The third part is one of the following:
- Yours sincerely
- Thank you
- Thanks
The fourth part is one of the following:
- +++ X-Attachment-Type: document
  +++ X-Attachment-Status: no virus found
  +++ Powered by the new Panda OnlineAntiVirus
  +++ Website: www.pandasoftware.com
- +++ X-Attachment-Type: document
  +++ X-Attachment-Status: no virus found
  +++ Powered by the new MCAfee OnlineAntiVirus
  +++ Homepage: www.mcafee.com
- +++ X-Attachment-Type: document
  +++ X-Attachment-Status: no virus found
  +++ Powered by the new F-Secure OnlineAntiVirus
  +++ Visit us: www.f-secure.com
- +++ X-Attachment-Type: document
  +++ X-Attachment-Status: no virus found
  +++ Powered by the new Norton OnlineAntiVirus
  +++ Free trial: www.norton.com
Attachment: .PIF extension, with filename from the following and a random number appended to it. For example, picture_document8.pif.
- account
- postcard
- sample
- developement
- concept
- story
- report
- icq_number
- e-mail
- phone_number
- personal_message
- photo_document
- order
- important_document
- diggest
- final_version
- release
- answer
- bill
- notice
- requested_document
- description
- summary
- picture_document
- movie_document
- approved_document
- old_document
- document
- mail
- letter
- homepage
- detailed_document
- powerpoint_document
- excel_document
- word_document
- info
- information
- text
- new_document
- textfile
- user_list
- improved_file
- secound_document
- file
- number_list
- contact_list
- message
- note
- improved_document
- details
- instructions
- presentation_document
- abuse_list
- archive
- corrected_document
- list
- approved_file
Here is an email sample of W32/Netsky.s@MM:

Technical Information:

The worm installs itself in the Windows directory as EASYAV.EXE.
It adds a registry key to hook itself on startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "EasyAV" = %WinDir%\EASYAV.EXE
It copies itself as UINMZERTINMDS.OPM (base-64 encoded) in the Windows directory.

It opens TCP port 6789 on the infected computer and launches a denial of service (DoS) attack on the following websites, if the current system date is between April 13-24, 2004:
- www.keygen.us
- www.freemule.net
- www.kazaa.com
- www.emule.de
- www.cracks.am
The worm queries DNS at one of the following IPs:
- 212.44.160.8
- 195.185.185.195
- 151.189.13.35
- 213.191.74.19
- 193.189.244.205
- 145.253.2.171
- 193.141.40.42
- 194.25.2.134
- 194.25.2.133
- 194.25.2.132
- 194.25.2.131
- 193.193.158.10
- 212.7.128.165
- 212.7.128.162
- 193.193.144.12
- 217.5.97.137
- 195.20.224.234
- 194.25.2.130
- 194.25.2.129
- 212.185.252.136
- 212.185.253.70
- 212.185.252.73
W32/Sober.f@MM
April 5, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4347 (released 4/5/2004 9:00 am HST)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_101154.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.1.9, updated 4/4/2004)

W32/Sober.f@MM is spread via mass email (written in English or German), by sending itself to email addresses harvested from files on the infected system. It does not use any exploits to automatically execute the attachment. Users must choose to open the attachment to get infected. Be careful when opening unexpected attachments.

The email arrives with the following characteristics (English version listed):
(German version of email is listed at http://vil.nai.com/vil/content/v_101154.htm.)

FROM: (spoofed or forged)

SUBJECT: (one of the following):
Body: (one of the following)
- I was surprised, too! :-(
  Who could suspect something like that?
  shock
- All OK :)
  see, what i've found!
- hi its me
  i've found a shity virus on my pc. check your pc, too!
  follow the steps in this article.
  bye
- I 've told you!:-) sometime I grab your passwords!
  your_passwords
  I hope you accept the result!
- Follow the instructions to read the message.
  Please read the document
- Your password was changed successfully.
  Protected message is attached.
  ++++ Service: http://www.(domain name)
  ++++ Mail To: User-info
- 67.28.114.32_failed_after_I_sent_the_message./
  Remote_host_said:_554_delivery_error:_dd_
  Sorry_your_message_cannot_be_delivered._
  This_account_has_been_disabled_or_discontinued_[#102]._-_mta134.mail.dcn.com
  ** End of Transmission
- The original message is a separate attachment.
  --- Mail To: UserHelp
  Error_Info
  _attach
  Read the attachment for details.
  Bad Gateway: The message has been attached.
  +++ A service of
  +++ Mail: home
- Database #Error
  -- Partial message is available!
  -- Error: llegal signs in Mail-Routing
  -- Mail Server: ESMTP VX32.9 Version Betha Alpha
- Mail- Attachment: No suspicious Virus signatures
  Mail Scanner: No Virus found
  Anti-Virus: No Virus!
ATTACHMENT: file with .PIF (30,720 bytes) or a .ZIP (30,866 bytes) extension
One of the following names (filename may be preceded by random numbers and appended with _attach):
- Administrator
- AMD-System.txt
- AntiVirus-Text
- attach-message
- AutoMailer
- block-lists
- check-this
- corrected_text-file
- database_partial
- database
- Error_info
- error
- error-message
- help
- instructions
- message
- Money_help
- partial
- pass-message
- pmessage-text
- RobotMailer
- textdocument
- User-info
- webmaster
- your_article
- your-passwords
Technical Information:

When the worm is executed, it drops the following files in the default Windows System32 %system32% folder (c:\Windows\System or c:\WinNT\System32):
- WINHEX32XX.WRM (58,156 bytes, MIME encoded copy of the worm)
- WINSYS32XX.ZZP (58,374 bytes, MIME encoded ZIP including the worm)
- SYST32WIN.DLL (varies, harvested email addresses)
- SPOOFED_RECIPS.OCS (varies, harvested email addresses)
- BCEGFDS.LLL (0 bytes)
- ZHCARXXI.WX (0 bytes)
- ZMNDPGWF.KXX (0 bytes)
The worm copies itself to the %system32% folder using a filename constructed from the following strings: 32, crypt, data, diag, dir, disc, explorer, host, log, run, service, smss32, spool, sys, win. For example, WINSYSSERVICE.EXE or DISCDIRRUN.EXE.

It creates a registry key to get itself started on system bootup:
Registry key is also created:
Once the computer has been infected, read-access to its file may be denied. Then VirusScan scanner will not be able to detect the file. If a computer is suspected of being infected, the following removal procedure is recommended:
1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
2. Run a system scan using the specified engine/DATs.
3. Delete files flagged as infected
4. Restart machine in default mode.
W32/Netsky.q@MM
March 29, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4345 (released 3/29/2004 6:30 am HST)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_101145.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/(v2.1.8, updated 3/29/2004 HST)

W32/Netsky.q@MM spreads via mass email and arrives with a spoofed or forged FROM address, variable subject, variable message body and variable attachment (28,008 bytes) with a .PIF, .SCR, .ZIP, or .EML file extension. The worm exploits the "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" (MS01-020, superceded by MS01-027) vulnerability that causes unpatched systems (with Microsoft Internet Explorer v5.01 or v5.5 without SP2) to automatically execute the worm when reading or previewing an infected message.

The worm copies itself as SysMonXP.exe in the Windows directory. It creates the following files in the Windows directory:
The following registry key is created:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "SysMonXP" = Data: C:\WINDOWS\SysMonXP.exe
The email has the following characteristics:

From: (spoofed or forged)

Subject:
- Delivery Bot (%recipient email address %)
- Server Error (%recipient email address %)
- Deliver Mail (%recipient email address %)
- Delivery Failed (%recipient email address %)
- Unknown Exception (%recipient email address %)
- Failed (%recipient email address %)
- Failure (%recipient email address %)
- Status (%recipient email address %)
- Error (%recipient email address %)
- Delivered Message (%recipient email address %)
- Mail System (%recipient email address %)
- Mail Delivery System (%recipient email address %)
- Mail Delivery failure (%recipient email address %)
- Delivery (%recipient email address %)
- Delivery Failure (%recipient email address %)
- Delivery Error (%recipient email address %)
Body:
- Received message has been sent as a binary file.
- Modified message has been sent as a binary attachment.
- Received message has been sent as an encoded attachment.
- Translated message has been attached.
- Message has been sent as a binary attachment.
- Received message has been attached.
- Partial message is available and has been sent as a binary attachment.
- The message has been sent as a binary attachment.
- Delivery Agent - Translation failed
- Delivery Failure - Invalid mail specification
- Mail Delivery Failure - This mail couldn't be shown
- Mail Delivery System - This mail contains binary characters
- Mail Transaction Failed - This mail couldn't be converted
- Mail Delivery Error - This mail contains unicode characters
- Mail Delivery Failed - This mail couldn't be represented
- Mail Delivery - This mail couldn't be displayed
Attachment: (random filename generated from 3 parts below)
- Part 1: one of the following - mail, msg, message, Note, data
- Part 2: random numbers or nothing
- Part 3: file extension .PIF, .SCR, .ZIP, or .EML
For example, message2.zip or data.pif.

The worm harvests email addresses from files on the local system with file extensions including .PPT, .XLS, .HTML, .HTM, .DBX, .CGI, .DOC, .WAB, .ASP, .PHP, .TXT, .EML (for complete list of file extens ions)

W32/Bagle.u@MM
March 28, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4344 (released 3/26/2004)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_101141.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/(v2.1.7, updated 3/26/2004)

W32/Bagle.u@MM (also known as W32.Beagle.u@mm) is spread via mass mailing and arrives in an email message with a spoofed FROM address, blank subject, blank body, and a randomly named attachment with an .EXE file extension (8,208 bytes).

The email has the following characteristics:
Email addresses are harvested from files on the victim's computer with extensions .wab, .txt, .msg, .htm, .shtm, .xml, .dbx, .mbx, .eml, .asp, .jsp, .xls, ... (for complete list of file extensions). The worm mass-mails itself to recipients extracted from the victim's computer.

MSHEARTS.EXE (Windows Hearts game) is run (if present on the infected computer) when the worm executes.

The worm opens TCP port 4751 on the infected computer. The exact functionality of this backdoor is under investigation. It is suspected that it may allow downloading and execution of files.

It sends notification (containing port number and ID number) via HTTP to a remote script at http://www.werde.de.

The worm copies itself into the default Windows System directory (%SysDir%) as GIGABIT.EXE. For example, c:\WinNT\System32\GIGABIT.EXE.

It adds the following Registry key to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "gigabit.exe" = %SysDir%\gigabit.exe
It creates the following Registry key:

HKEY_CURRENT_USER\Software\Windows2004
with values "fr1n" and "gsed".

The worm checks the system date when it is executed. If it is Jan. 1, 2005 or later, it terminates.

W32/Netsky.p@MM
March 22, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows S erver 2003 and Internet Explorer 5.01 and 5.5
Risk Assessment: Medium
Minimum VirusScan DAT: 4340 (released 3/22/2004 8:00 am HST)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_101119.htm
Stinger Removal Tool: http://vil.nai.c om/vil/stinger/(updated: 3/22/2004 HST)

The Netsky.p virus has two methods of spreading itself - first mass mailing and the second is vulnerable Microsoft Internet Explorer 5.01 and 5.5. The virus will install its own SMTP server on the infected computer so that it can send out infected message s to email addresses that it finds on the infected computer. The virus will search a variety of files and glean email addresses from these files. Some examples of the files are XML, HTML, HTM, and VBS. For a complete list, please visit the McAfee informat ion above. This means that users might complain about numerous return to sender email messages that they never sent out or they do not know the person that they supposed to have sent the email message to.
The second method uses an old vulnerability in Microsoft Internet Explorer 5.01 and 5.5. The virus will execute when one of these versions of Internet Explorer is used to view the infected email.

The virus does these things to ensure that it runs on startup. The virus on an infected computer will copy itself to the Windows directory. The file name is FVProtect.exe. It will also create other files:

userconfig9x.dll (file size is 26,624)
base64.tmp (UUEncoded worm)
zip1.tmp (UUEncoded of worm zip archive)
zip2.tmp (UUEncoded of worm zip archive)
zip3.tmp (UUEncoded of worm zip archive)
zipped.tmp (worm in zip archive)
The virus will create a registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Norton Antivirus AV" = %WinDir%\FVProtect.exe
The last thing that it would do is search the hard drive for the following words and copy itself into those directories:

shared files
kazaa
mule
donkey
morpheus
lime
bear
icq
shar
upload
http
htdocs
ftp
download
my shared folder
Once it copies itself to these directories, the virus' file name will entice the users of the shared resource to execute it. Some of the file names are Adobe Photoshop 10 full.exe and Ahead Nero 8.exe. For a complete list, please visit http://vil.nai.com/vil/content/v_101119.htm

W32/Bagle.p@MM
March 15, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows S erver 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4338 (released 3/15/2004 1:53 pm HST)
Minimum VirusScan scan engine: 4.2.40
For more information: http ://vil.nai.com/vil/content/v_101098.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/(updated: 3/15/2004)

The bagle.p virus is a mass-mailing virus that will send itself as an infected attachment to other people whose email address existed on the victim's computer. The email addresses are gleaned from many different file types - WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, AND JSP files. The email message will look like it is from an authoritative source and the topic is usually concerning the person's email accoun t or password.

Here is an example of what a bagle.p infected message would look like:
---------------start of EXAMPLE message-----------------
To: therese@hawaii.edu
From: support@hawaii.edu
Subject: E-mail account security warning

Dear user of hawaii.edu,

mailing system wants to let you know that, Your e-mail account has been temporary disabled because of unauthorized access. Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configur e our free auto-forwarding service.
For security reasons attached file is password protected. The password is (attached image inserted here)
Sincerely,
The hawaii.edu team http://www.hawaii.edu
---------------end of EXAMPLE message-----------

The bagle.p will infect the victim's computer after the attachment is executed. The virus will make some registry edits so that it can set up a SMTP server on the victim's computer. It will use this SMTP server to spread itself on the Internet.

The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "winupd.exe" = C:\WINNT\SYSTEM32\winupd.exe

The worm uses the text file icon to disguise itself.
It also needs the following files to run properly:

The virus copies itself into the Windows System directory as using the following names For example:

C:\WINNT\SYSTEM32\WINUPD.EXE

C:\WINNT\SYSTEM32\winupd.exeopen

C:\WINNT\SYSTEM32\winupd.exeopenopen

The bagle.p virus will attempt to turn off many of the popular security products from the TSR memory so that it can avoid being detected. For a complete list of TSRs that it tries to turn off, please visit http://vil.nai.com/vil/content/v_101098.htm
IMPORTANT
The most damaging part of bagle.p is that it will search the hard drives for *.EXE files and it appends the EXE files with its own encryption code. The file size will increase about 45KB and the time and date stamps will change to the time and dat e of infection.

W32/Bagle.n@MM
March 13, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows S erver 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4337 (released 3/13/2004 10:00 pm HST)
Minimum VirusScan scan engine: 4.2.40
For more information: http://vil.nai.com/vil/content/v_101095.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/(updated: 3/13/2004 at 10:00 PM HST)

The W32/Bagle.n virus is masquerading as an official email message with an attachment. The email message looks like it is from one of these accounts but it is spoofed or faked.

management@
administration@
staff@
noreply@
support@
and other email addresses found on the infected computer (which is not necessarily your computer)
Subject line examples:

Account notify

E-mail account disabling warning.

E-mail account security warning.

Email account utilization warning.

Email report

E-mail technical support message.

E-mail technical support warning.

E-mail warning

Encrypted document

Fax Message Received

Forum notify

Hidden message

Important notify

Important notify about your e-mail account.

Incoming message

Notify about using the e-mail account.

Notify about your e-mail account utilization.

Notify from e-mail technical support.

Protected message

Re: Document

Re: Hello

Re: Hi

Re: Incoming Fax

Re: Incoming Message

Re: Msg reply

RE: Protected message

RE: Text message

Re: Thank you!

Re: Thanks :)

Re: Yahoo!

Request response

Site changes

Warning about your e-mail account.

There is a wide variety of Attachment explanations, Password Information, Closings, and Attachment file names. The message body is a better way to identify a virus infected message. The message might contain one of the following sentences:
EXAMPLES

Your e-mail account has been temporary disabled because of unauthorized access.

Our main mailing server will be temporary unavailable for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.

Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.

We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.

Our antivirus software has detected a large amount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.

Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.

The closing statement might have a URL at the end of the message to make the message look a bit authentic. Be forewarned, most Internet Service Providers and the University of Hawaii do not send out email messages concerning your email account with an attachment unless you requested information.

If the infected attachment is executed, the virus will infect the Windows computer. It will install its own SMTP server (email server) so that it can spread itself on the Internet, port 2556 is opened so that a remote connection could be made to the infec ted computer, there are some registry entries, the virus resides in a file that looks like a TrueType font file, and it attempts to turn off a number of security processes such as antivirus software and firewall software processes.
Here are some examp les of processes:

AGENTSVR.EXE

ANTI-TROJAN.EXE

ANTI-TROJAN.EXE

ANTIVIRUS.EXE

ANTS.EXE

APIMONITOR.EXE

APLICA32.EXE

APVXDWIN.EXE

ATCON.EXE

ATGUARD.EXE

ATRO55EN.EXE

ATUPDATER.EXE

ATWATCH.EXE

au.exe

AUPDATE.EXE

AUTODOWN.EXE

AUTOTRACE.EXE

AUTOUPDATE.EXE

AVCONSOL.EXE

AVGSERV9.EXE

AVLTMAIN.EXE

AVprotect9x.exe

AVPUPD.EXE

AVSYNMGR.EXE

more listed on http ://vil.nai.com/vil/content/v_101095.htm

If you think that you are infected, please download the Stinger and run a full scan on your computer.
Please check the Network Associates web page for a current list of processes and subject lines. http ://vil.nai.com/vil/content/v_101095.htm

W32/Netsky.j@MM
March 8, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4335 (released 3/8/2004 2:30 pm HST)
Minimum VirusScan scan engine: 4.2.40
For more information: http://vil.nai.com/vil/content/v_101083.htm

Stinger Removal Tool: http://vil.nai.com/vil/stinger/

NAI raised the threat of this newly detected variant W32/Netsky.j@MM to MEDIUM due to increased prevalence and released DAT 4335 early to detect this new threat. Please update your McAfee DAT file to 4335 as soon as possible, using the manual Update Now m ethod.

Note: this variant is also known as W32.Netsky.k@MM by Symantec. To add to the confusion, NAI already has its own W32/Netsky.k@MM variant.

W32/Netsky.j@MM worm arrives via email with a spoofed or forged FROM address and a .PIF attachment (22,016 bytes).

Be careful about opening unexpected attachments, even from people you know.
Receiving email stating that your computer sent out a virus may not mean that your computer is infected as this virus spoofs the FROM address.

The worm arrives via email with these characteristics:

From: (forged address taken from infected system)
Subject: (one of the following list)

Re: Hello
Re: Hi
Re: Thanks!
Re: Document
Re: Message
Re: Here
Re: Details
Re: Your details
Re: Approved
Re: Your document
Re: Your text
Re: Excel file
Re: Word file
Re: My details
Re: Your music
Re: Your bill
Re: Your letter
Re: Document
Re: Your website
Re: Your product
Re: Your document
Re: Your software
Re: Your archive
Re: Your picture
Re: Here is the document
Body: one of the following)

Here is the file.
Your file is attached.
Your document is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Attachment: filename taken from strings within worm, with a .PIF extension:

yours.pif
your_text.pif
your_bill.pif
mp3music.pif
document.pif
my_details.pif
your_file.pif
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_details.pif
document_word.pif
all_document.pif
application.pif
your_picture.pif
document_excel.pif
document_4351.pif
document_full.pif
message_part2.pif
your_document.pif
message_details.pif
The worm harvests email addresses from files on the local system with the following file extensions:

.adb
.asp
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.oft
.php
.pl
.rtf
.sht
.shtm
.msg
.tbb
.txt
.uin
.vbs
.wab
and avoids sending itself to email addresses for anti-virus and security companies. The virus uses its own STMP engine to construct messages and to mass mail itself.

The worm copies itself into the default Windows directory %WinDir% (eg. C:\WINDOWS, C:\WINNT) using the filename WINLOGON.EXE.

C:\WINNT\WINLOGON.EXE (22,016 bytes)
Note: A valid Windows file exists in the Windows System directory.

A Registry key is created to load the worm at system start.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "ICQ Net" = %WinDir%\WINLOGON.EXE -stealth
It attempts to remove various Registry values, some of which are associated with other viruses, trojan, and applications.

If you are infected, please make sure you have the McAfee DAT file 4335 (released on March 8, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm. If you suspect that your computer is infected with W32/Netsky.j@MM, download and run the updated Stinger removal tool (v2.1.2, 3/8/04).

W32/Sober.d@MM
(also known as W32/Roca-A)
March 8, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4334 (released 3/8/2004 7:30 am HST)
Minimum VirusScan scan engine: 4.2.40
For more information: http://vil.nai.com/vil/content/v_101081.htm

Stinger Removal Tool: http://vil.nai.com/vil/stinger/

March 8, 2004 10:00 am HST

NAI raised the risk level of the W32/Sober.d@MM variant to MEDIUM due to increased prevalence. Please update your McAfee DAT to 4334 as soon as possible, using the manual updater method.

W32/Sober.d@MM arrives via email pretending to be a patch from Microsoft for the Mydoom virus (written in English or German). The attachment is a file with an .EXE or .ZIP extension. *** Important: Microsoft never sends patches via email attachment! ** *

Summary of the worm:

contains its own SMTP engine for constructing messages
source/target email addresses are harvested from the infected computer
outgoing messages claim to be a patch from Microsoft (written in English and German)

The email has the following characteristics:

From: (sender)@microsoft.com (where "sender" is one of the following)

Info
Center
UpDate
News
Help
Studio
Alert
Security
Subject: Microsoft Alert: Please Read! (English version starts with this)

Body:

(English version)
New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet. Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468.

Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.
+++
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19 com

Attachment: either a .EXE or .ZIP with a filename (one of the following) and a optional 5- or 10-digit random number (33,792 bytes)

sys-patch
MS-UD
MS-Security
Patch
Update
MS-Q
For example, MS-UD89021.EXE or MS-Q4532364791.EXE.

When the attachment is run, a fake error message may be displayed. For example:

The worm installs itself into the default Windows System directory %SysDir% (c:\windows\system32 or c:\winnt\system32) using one of various possible filenames (constructed from a string pool carried within the worm). For example:

%SYSDIR%\diagwinhost.exe
It also adds the following registry key to run itself at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run\disc32data "spool32" = %SYSDIR%\diagwinhost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \RunOnce "diagdir" = %SYSDIR%\diagwinhost.exe %1

The filenames and Registry keys are random and are made up from the following strings:

sys
host
dir
explorer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
The worm also drops the following files into the %SYSDIR%:

Humgly.lkur (0 bytes at testing)
temp32x.data (46,244 bytes, Base-64 encoded copy of the worm)
wintmpx33.dat (46,426 bytes, Base-64 encoded ZIP containing the worm)
yfjq.yqwm (0 bytes at testing)
zmndpgwf.kxx (0 bytes at testing)
If you are infected, please make sure you have the McAfee DAT file 4334 (released on March 8, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm. If you suspect that your computer is infected with W32/Sober.d@MM, download the updated Stinger removal tool (v2.1.1, 3/8/04).

W32/Bagle.j@MM
(also known as W32.Beagle.j@mm)
March 2, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4332 (released 3/2/2004 6:00 pm HST)
Minimum VirusScan scan engine: 4.2.40
For more information: http://vil.nai.com/vil/content/v_101071.htm

Stinger Removal Tool: http://vil.nai.com/vil/stinger/

March 2, 2004 7:15 pm HST

NAI raised the risk level of the W32/Bagle.h@MM variant to MEDIUM due to increased prevalence. Please update your McAfee DAT to 4332 as soon as possible. If you suspect that your computer is infected with W32/Bagle.j@MM, download the updated Stinger remov al tool (v2.1.0, 3/2/04).

This worm is spread via email with a spoofed FROM address and a carefully crafted email message posing to be a problem with your email account. At first glance, it appears to be a legitimate email warning notification. The attachment may be a password-pro tected ZIP file or a file with an .EXE or .PIF extension. The password is included in the message body. It also copies itself to folders containing the phrase shar in its filename, folders commonly used in peer-to-peer filesharing.

It also opens TCP port 2745 on the infected computer for remote connections.

The email arrives with the following characteristics:
From: (spoofed address)
Subject: (one of the following)

E-mail account security warning.

Notify about using the e-mail account.

Warning about your e-mail account.

Important notify about your e-mail account.

Email account utilization warning.

Notify about your e-mail account utilization.

E-mail account disabling warning.

Body: (carefully constructed from parts to make it appear like an authentic message)

Greeting (one of the following)

Dear user of (user's domain) ,

Dear user of (user's domain) gateway e-mail server,

Dear user of e-mail server "(user's domain) ",

Hello user of (user's domain) e-mail server,

Dear user of "(user's domain) " mailing system,

Dear user, the management of (user's domain) mailing system wants to let you know that,

Main Message Text (one of the following)

Your e-mail account has been temporary disabled because of unauthorized access.
Our main mailing server will be temporary unavaible for next two days, to continue
receiving mail in these days you have to configure our free auto-forwarding service.
Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.
Attachment Explanation (one of the following)

For more information see the attached file.
Further details can be obtained from attached file.
Advanced details can be found in attached file.
For details see the attach.
For details see the attached file.
For further details see the attach.
Please, read the attach for further details.
Pay attention on attached file.
Password Information (if received as a ZIP file)

For security reasons attached file is password protected. The password is "(five random numbers) ".
For security purposes the attached file is password protected. Password is "(five random numbers) ".
Attached file protected with the password for security reasons. Password is (five random numbers) .
In order to read the attach you have to use the following password: (five random numbers) .
Closing (one of the following)

The Management,
Sincerely,
Best wishes,
Have a good day,
Cheers,
Kind regards,
The (user's domain) team http://www.(user's domain)
Attachment: (one of following with .EXE, .PIF, or .ZIP extension)

Attach
Information
Readme
Document
Info
TextDocument
TextFile
MoreInfo
Message
The worm uses the WordPad icon to make it appear that the attachment is a Wordpad document but it is really an executable file.

The worm copies itself to the Windows System directory as IRUN4.EXE.

C:\WINNT\SYSTEM32\IRUN4.EXE
It creates a file IRUN4.EXEOPEN which is either a copy of itself or a ZIP file (~13KB) to be sent in email.

It adds the following registry key to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"ssafe.exe" = C:\WINNT\SYSTEM32\irun4.exe

The worm attempts to terminate security processes.

The worm contains its own SMTP server to construct infected email messages to send out, using a spoofed or forged FROM address. If you receive an email alert that you sent an infected email, your computer may not necessarily be infected because of spoofing. It gathers email addresses from files on the infected computer with these extensions:

.adb
.asp
.cfg
.dbx
.eml
.htm
.mdx
.mmf
.nch
.ods
.php
.pl
.sht
.tbb
.txt
.wab
.xml
The virus is careful not to send itself to email addresses that contain these words to avoid detection.

@avp
@hotmail.com
@microsoft
@msn.com
local
noreply
postmaster@
root@
The worm copies itself to folders whose filename includes the phrase shar, commonly used in peer-to-peer filesharing applications such as KaZaa, Bearshare, Limewire, etc. If you have these P2P applications installed, beware! It's recommended that t hese applications be removed for security reasons. The infected files are:

ACDSee 9.exe

Adobe Photoshop 9 full.exe

Ahead Nero 7.exe

Matrix 3 Revolution English Subtitles.exe

Microsoft Office 2003 Crack, Working!.exe

Microsoft Office XP working Crack, Keygen.exe

Microsoft Windows XP, WinXP Crack, working Keygen.exe

Opera 8 New!.exe

Porno pics arhive, xxx.exe

Porno Screensaver.scr

Porno, sex, oral, anal cool, awesome!!.exe

Serials.txt.exe

WinAmp 5 Pro Keygen Crack Update.exe

WinAmp 6 New!.exe

Windown Longhorn Beta Leak.exe

Windows Sourcecode update.doc.exe

XXX hardcore images.exe

W32/Bagle.h@MM
(also known as W32.Beagle.h@mm)
March 2, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4331 (updated 3/2/2004 9:00 am HST on UH sites but doesn't work; use DAT 4332)
Minimum VirusScan scan engine: 4.2.40
For more information: http://vil.nai.com/vil/content/v_101068.htm

Stinger Removal Tool: http://vil.nai.com/vil/stinger/

March 2, 2004 7:15 pm HST

NAI raised the risk level of the W32/Bagle.h@MM variant to MEDIUM due to increased prevalence. McAfee DAT 4331 was not working and was reported to NAI. McAfee DAT 4332 was released early to detect the W32/Bagle.j@MM virus and will detect the W32/Bagle.h@M M variant as well. Please update your DAT file to 4332 as soon as possible. If you suspect that your computer is infected with W32/Bagle.h@MM, download the updated Stinger removal tool (v2.1.0, 3/2/04).

This worm is spread via email with a spoofed FROM address and a password-protected ZIP file attachment. The attachment's icon makes it appear as a folder. The password is included in the message body. It also copies itself to folders containing the phrase shar in its filename, folders commonly used in peer-to-peer filesharing.

It also opens TCP port 2745 on the infected computer for remote connections.

The email arrives with the following characteristics:
From: (spoofed address)
Subject: (one of the following)
Weah, hello! :)
Hokki =)
Weeeeee! ;)))
Hi! :-)
ello! =))
^-^ meay-meay!
^-^ mew-mew (-:

Body: (one of the following)
Hey, dude, it's me ^_^ :P
Argh, i don't like the plaintext :)
I don't bite, weah!

Looking forward for a response :P

Attachment: password-protected ZIP file with randomly named executable within ZIP file.

The password is included in the message body. The executable file uses an icon for a folder but is actually an executable file.

The worm copies itself to the Windows System directory as illr54n4.exe.

C:\WINNT\SYSTEM32\i11r54n4.exe (21,318 bytes) It adds the following registry key to hook system startup:

It adds this key to the registry:

HKEY_CURRENT_USER\Software\Winexe "open" It will also create other files in the Windows System directory:

go154o.exe (19,968 bytes) - DLL to do the mailing
ili5nlj4.exe (1,536 bytes) - DLL loader
i11r54n4.exeopen (20,774 bytes) - ZIP file to be sent in the email

W32/Bagel.h@MM is similar to the .f variant.

The worm contains its own SMTP server to construct infected email messages to send out, using a spoofed or forged FROM address. If you receive an email alert that you sent an infected email, your computer may not necessarily be infected because of spoofing. It gathers email addresses from files on the infected computer with these extensions:

.adb
.asp
.cfg
.dbx
.eml
.htm
.mdx
.mmf
.nch
.ods
.php
.pl
.sht
.tbb
.txt
.wab
.xml

The virus is careful not to send itself to email addresses that contain these words to avoid detection.

@avp
@hotmail.com
@microsoft
@msn.com
local
noreply
postmaster@
root@

It tries to contact the virus author by calling PHP scripts on remote sites.

At the time of this post, the script did not exist on these web sites.

The worm copies itself to folders whose filename includes the phrase shar, commonly used in peer-to-peer filesharing applications such as KaZaa, Bearshare, Limewire, etc. If you have these P2P applications installed, beware! It's recommended that t hese applications be removed for security reasons. The infected files are:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

W32/Bagle.e@MM
(also known as W32.Beagle.E@MM)
March 1, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4330 (released 2/29/2004)
Minimum VirusScan scan engine: 4.2.40
For more information: http://vil.nai.com/vil/content/v_101061.htm
Stinger Tool Available: http://vil.nai.com/vil/stinger/

This new variant is similar to the W32/Bagle.c worm. It uses different file names to write to the local computer and it has a different file size. It listens on TCP port 2745 for remote connections.

The email arrives with the following characteristics:
From: (spoofed address)
Body: (message body is empty)
Subject: (one of following)

Accounts department

Ahtung!

Camila

Daily activity report

Flayers among us

Freedom for everyone

From Hair-cutter

From me

Greet the day

Hardware devices price-list

Hello my friend

Hi!

Jenny

Jessica

Looking for the report

Maria

Melissa

Monthly incomings summary

New Price-list

Price

Price list

Pricelist

Price-list

Proclivity to servitude

Registration confirmation

The account

The employee

The summary

USA government abolishes the capital punishment

Weekly activity report

Well...

You are dismissed

You really love me? he he

Attachment: randomly named executable within a small ZIP file (~16KB)

The executable file uses an icon for a text file but is actually an executable file.
After the infected file is executed, Notepad will appear with a blank window.

This mass-mailing worm has the following characteristics:

contains its own SMTP server to send out infected email messages
gathers email addresses from the infected computer
The email addresses are gathered from these files:
.adb

.asp

.cfg

.dbx

.eml

.htm

.html

.mdx

.mmf

.nch

.ods

.php

.pl

.sht

.txt

.wab

spoofs the FROM field using addresses harvested from the infected computer
notification is sent to the hacker (virus author) about its infection
The virus is careful not to send itself to email addresses that contain these words because it wants to avoid detection.
@avp

@hotmail.com

@microsoft

@msn.com

local

noreply

postmaster@

root@

It tries to contact the virus author by calling PHP scripts on remote sites.
the infected computer has a remote control component and could be used at a later time
The virus listens on TCP port 2745 for remote connections.
increased activity on the SMTP traffic within a network
the infected computer will have file i1ru74n4.exe (which is the virus itself) in the C:\WINNT\SYSTEM32 directory.

It will also create other files in this directory:
- godo.exe (18,944 bytes) - DLL to do the mailing
- ii455nj4.exe (1,536 bytes) - DLL loader
- i1ru74n4.exeopen (~16KB) - ZIP file to be sent in the email
There are some registry changes so that the virus can start up every time the computer is booted.
A mutex called "imain_mutex" is created to ensure only one instance of the worm is running at a time.

The virus also tries to turn off any security services that are running on the computer.

ATUPDATER.EXE	AUPDATE.EXE	AUTODOWN.EXE	AUTOTRACE.EXE	AUTOUPDATE.EXE
AVLTMAIN.EXE	AVPUPD.EXE	AVWUPD32.EXE	AVXQUAR.EXE	CFIAUDIT.EXE
DRWEBUPW.EXE	ICSSUPPNT.EXE	ICSUPP95.EXE	LUALL.EXE	MCUPDATE.EXE
NUPGRADE.EXE	OUTPOST.EXE	UPDATE.EXE

W32/Netsky.d@MM
March 1, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4328 (released 2/25/2004)
Minimum VirusScan scan engine: 4.2.40
For more information: http://vil.nai.com/vil/content/v_101064.htm

March 1, 2004 - NAI raised the threat level to MEDIUM due to increased prevalence. DAT 4328 (released 2/25/2004) or higher will proactively detect this variant with scanning of compressed files enabled.

W32/Netsky.d is a virus that will spread via mass mailing. It has its own SMTP server that will make a direct connection to your mail server (e.g. mail.hawaii.edu) and sends out infected attachments (17,424 bytes) with a PIF extension to email addresses t hat it finds on the local system in address book files, word processing files (i.e. doc), and web files such as htm, asp, and cgi. Please see the list of file extensions below. The messages will impersonate (spoof) the sender's email address using addres ses found in these files. Do not open attachments that arrive with "return to sender" messages from people you do not know. Please delete these messages and purge them from your mail boxes.

This is a list of files that Netsky uses to gather email addresses to impersonate (spoof).

.adb	.asp	.cgi	.dbx	.dhtm	.doc	.eml
.htm	.oft	.php	.pl	.rtf	.sht	.shtm
.msg	.tbb	.txt	.uin	.vbs	.wab

The worm arrives in an email message with the following characteristics:

From: (forged or spoofed address from infected system)
Subject:(one of the following)

Re: Hello
Re: Hi
Re: Thanks!
Re: Document
Re: Message
Re: Here
Re: Details
Re: Your details
Re: Approved
Re: Your document
Re: Your text
Re: Excel file
Re: Word file
Re: My details
Re: Your music
Re: Your bill
Re: Your letter
Re: Document
Re: Your website
Re: Your product
Re: Your document
Re: Your software
Re: Your archive
Re: Your picture
Re: Here is the document

Body: (one of the following)

Here is the file.
Your file is attached.
Your document is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.

Attachment: filenames taken from strings within the worm, with a .PIF extension. Possible attachment names are:

yours.pif
your_text.pif
your_bill.pif
mp3music.pif
document.pif
my_details.pif
your_file.pif
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_details.pif
document_word.pif

Netsky copies itself to the default Windows folder using the filename WINLOGON.EXE

c:\WINNT\WINLOGON.EXE (17,424 bytes)

Note: a legitimate WINLOGON.EXE file exists in the Windows System directory.

Netsky will also remove the registry edits made by previous viruses such as MyDoom, Netsky.a, and others. It will also remove some services from the registry. The virus removes various Registry values associated with other recent virus (W32/Netsky.a@MM, W32/Netsky.b@MM, W32/Mydoom.a@MM, W32/Mydoom.b@MM, W32/Mimail.t@MM).

A registry key is created to load the worm on startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"ICQ Net" = %WinDir%\WINLOGON.EXE - stealth

Symptoms of Netsky.d are the existence of files and registry keys, unexpected network traffic, and outgoing DNS request to one of the following IP addresses.

145.253.2.171
151.189.13.35
193.141.40.42
193.189.244.205
193.193.144.12
193.193.158.10
194.25.2.129
194.25.2.130
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
195.185.185.195
195.20.224.234
212.185.252.136
212.185.252.73
212.185.253.70
212.44.160.8
212.7.128.162
212.7.128.165
213.191.74.19
217.5.97.137
62.155.255.16

Please use the Stinger tool to detect Netsky if you do not know what to do. The Stinger tool may be downloaded from http://vil.nai.com/vil/stinger/.

W32/Bagle.c@MM
Feb. 27, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4329 (released 2/27/2004 at 4:00 pm HST)
Minimum VirusScan scan engine: 4.2.40
For more information: http://vil.nai.com/vil/content/v_101059.htm Stinger Tool Available: Yes. http://vil.nai.com/vil/stinger/

This is a mass-mailing worm that has the following characteristics:

contains its own SMTP server to send out infected email messages
The body of the email messages are empty with a variety of subject lines. McAfee is still learning about this virus so these are only some of the subject lines - Accoutns department, Ahtung!, the employee, and Camila. The attachment is a small ZIP file th at contains a file that looks like an Excel file but it is an executable file.
After the infected Excel file is executed, Notepad will appear with a blank window.

gleans email addresses from the infected computer
The email addresses are gleaned from these files:

.adb	.asp	.cfg	.dbx	.eml	.htm	.html	.mdx
.mmf	.nch	.ods	.php	.pl	.sht	.txt	.wab

randomly places email addresses that it finds into the FROM field
notification is sent to the hacker (virus author) about its infection
The virus is careful not to send itself to email addresses that contain these words because it wants to avoid detection.
@avp

@hotmail.com

@microsoft

@msn.com

local

noreply

postmaster@

root@

It tries to contact the virus author by calling PHP scripts on remote sites.
the infected computer has a remote control component and could be used at a later time
The virus listens on TCP port 2745 for remote connections.
Besides the increased activity on the SMTP traffic within a network, the infected computer will have a README.EXE (which is the virus itself) in the C:\WINNT\SYSTEM32 directory. It will also create other files in this directory:
- onde.exe - DLL to do the mailing
- doc.exe - DLL loader
- readme.exeopen - ZIP file to be sent in the email
There are some registry changes so that the virus can start up every time the computer is booted.
A mutex called "imain_mutex" is created to ensure only one instance of the worm is running at a time.

The virus also tries to turn off any security services that are running on the computer.

ATUPDATER.EXE	AUPDATE.EXE	AUTODOWN.EXE	AUTOTRACE.EXE	AUTOUPDATE.EXE
AVLTMAIN.EXE	AVPUPD.EXE	AVWUPD32.EXE	AVXQUAR.EXE	CFIAUDIT.EXE
DRWEBUPW.EXE	ICSSUPPNT.EXE	ICSUPP95.EXE	LUALL.EXE	MCUPDATE.EXE
NUPGRADE.EXE	OUTPOST.EXE	UPDATE.EXE

W32/Netsky.c@MM
Feb. 25, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows S erver 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4328 (released 2/25/2004)
Minimum VirusScan scan engine: 4.2.40
For more information: http://vil.nai.com/vil/content/v_101048.htm

W32/Netsky.c is a virus that will distirbute itself in 2 ways. The first is through email. It has its own SMTP server that will make a direct connection to your mail server (i.e. mail.hawaii.edu) and send out infected attachments to email addresses that i t finds in address book files, word processing files (i.e. doc), and web files such as htm, asp, and cgi. Please see the list below. The messages are designed to impersonate the person's email address found in these files. You might receive return to sen der messages from people that you do not know. Do not open these email's attachments. Please delete them and purge them from your mail boxes.
This is a list of files that Netsky uses to glean email addresses to impersonate.

.adb	.asp	.cgi	.dbx	.dhtm	.doc	.eml
.htm	.oft	.php	.pl	.rtf	.sht	.shtm
.msg	.tbb	.txt	.uin	.vbs	.wab

The email attachment might have a double . extension so that it would be more difficult to detect. This a list of some common extensions. The first extension may be:

.doc
.htm
.rtf
.text

The last extension is one of the following:

.com
.exe
.pif
.scr

The second method is through peer-to-peer sharing or P2P (i.e. Kazaa). The virus will look for folder names that have "shar" inside of the name (i.e. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS). The folders can be on your computer or a sha red folder from a server. It will copy itself into these folders and changes it name (i.e. MS Service Pack 5.exe or Microsoft Office 2003 Crack.exe) The full list of filenames can be found on http://vi l.nai.com/vil/content/v_101048.htm

Netsky will also remove the registry edits made by previous viruses such as MyDoom, Netsky.a, and others. It will also remove some services from the registry. The virus removes various Registry values associated with other recent virus (W32/Netsky.a@MM, W32/Netsky.b@MM, W32/Mydoom.a@MM, W32/Mydoom.b@MM, W32/Mimail.t@MM).

The following values:

Sentry
OLE
service
au.exe
d3dupdate.exe
DELETE ME
msgsvr32

are deleted from CurrentVersion\Run CurrentVersion\RunServices Registry keys.

The following Registry keys are also deleted:

HKEY_CLASSES_ROOT\CLSID\
{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "KasperskyAv"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "system."

Symptoms of Netsky.c are the existence of files and registry keys, unexpected network traffic, and outgoing DNS request to a variety or IP addresses.

151.189.13.35
193.141.40.42
193.189.244.205
193.193.144.12
193.193.158.10
194.25.2.129
194.25.2.130
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
195.185.185.195
195.20.224.234
212.185.252.136
212.185.252.73
212.185.253.70
212.44.160.8
212.7.128.162
212.7.128.165
213.191.74.19
217.5.97.137
62.155.255.16

Manual Removal Instructions
Note: Improper removal of registry keys could cause your Windows to crash or not function at all. Please use your antivirus software or call the ITS Help Desk for assistance (808) 956-8883.

To remove this virus "by hand", follow these steps:

Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
Delete the file WINLOGON.EXE from your WINDOWS directory (typically c:\windows or c:\winnt)
NOTE: DO NOT delete the file WINLOGON.EXE from the WINDOWS SYSTEM directory as that is a valid Windows system file. (i.e. c:\windows\system, c:\windows\system32, c:\winnt\system, or c:\winnt\system32)

Edit the registry
- Delete the "ICQ Net" value from
  - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Run
  - HKEY_CURRENT_USERS\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Run

Please use the Stinger tool to detect Netsky if you do not know what to do. The Stinger tool may be downloaded from http://vil.nai.com/vil/stinger/.

W32/Mydoom.f@MM
Feb. 23, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4327 (released 2/23/2004)
Minimum VirusScan scan engine: 4240
For more information: http://vil.nai.com/vil/content/v_101038.htm

W32/Mydoom.f@MM is a mass-mailing worm that is spread via email and by copying itself to mapped drives. It opens a backdoor on TCP port 1080 and can download and execute arbitrary files. It will perform a Denial of Service (DoS) attack on www.microsoft.co m and www.riaa.com, if the infected computer's system date is between the 17th and 22nd of the month. The worm searches drives C: to Z: and deletes files with .mdb, .doc, .xls, .sav, .jpg, .avi, and .bmp extensions. The outgoing messages have attac hment filenames with .cmd, .bat, .pif, .com, .scr, and .exe extensions, and may be contained in a .ZIP file. The icon of the attachment may make it appear to be a text file.

The email has the following characteristics:
From: (spoofed or forged address)
Subject: (one of following)

(blank)
Announcement
ApprovedNews
Attention
automatic responderbr>
Bug
Current Status
EXPIRED ACCOUNT
For your information
hello
hi, it's me
hi
IMPORTANT
Information Warning
Love is Love is...
Please read
Please reply
Re: Approved
Re: Thank You
Re:
Read it immediately
read now!
Read this
Readme
Recent news
Something for you
Undeliverable message
Unknown
You have 1 day left
You use illegal File Sharing...
Your IP was logged
Your account is about to be expired
Your credit card
Your order is being processed
Your order was registered
Your request is being processed
Your request was registered

Body: (varies, such as)
Check the attached document
Details are in the attached document. You need Microsoft Office to open it.
Greetings
Here is the document.
Here it is
I have your password :)
I wait for your reply.
I'm waiting Okay
I'm waiting
Information about you
Is that from you?
Is that yours?
Kill the writer of this document!
OK Everything ok?
Please see the attached file for details
Please, reply
Read the details.
Reply
See the attached file for details
See you Here it is
See you
Something about you
Take it
The document was sent in compressed format.
We have received this document from your e-mail.
You are a bad writer
You are bad

Attachment: (variable filename with .cmd, .bat, .pif, .com, .scr, .exe extension or may be contained in a .ZIP file)
creditcard.bat
creditcard.zip
details.zip
mail.zip
notes.zip
part1.zip
paypal.zip
photo.zip
textfile.zip
vpf.zip
website.zip
%random characters%.zip

The icon for the attachment may make it appear to be a text file.

It copies itself to the WINDOWS SYSTEM directory using random filenames, e.g. hiruszomrk.exe (%SYSDIR%hiruszomrk.exe).

It creates a registry key to load itself on startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "nhch" = %SYSDIR%\hiruszomrk.exe
It also uses a DLL that it creates in the Windows System directory as:

%SYSDIR%\vppu.dll (8,068 bytes)
The worm copies itself as .ZIP or .EXE files in different directories on the local hard drive and mapped drives. The filenames are random and 34 Kbytes in size. The worm searches the %System% folder on drives C: through Z: and deletes files with .b mp, .avi, .jpg, .sav, .xls, .doc, and .mdb extensions.

The worm harvests email addresses from files on drives C: to Z:, Temporary Internet Files folder (Internet Explorer web browser cache), and the Windows address book. It uses its own SMTP engine to construct outgoing messages.

The worm checks current running processes and attempts to shut down anti-virus and other processes.

If the system date is between the 17th and 22nd of the month, it performs a Denial of Service (DoS) attack on www.microsoft.com and www.riaa.com using random ports on the infected computers.

The worm listens on TCP port 1080 and opens ports from 3000 through 5000.

If you are infected, please make sure you have the McAfee DAT file 4327 (released on Feb. 23, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm. The stand-alone Stinger removal tool (v.2.0.3, 2/23/04) has been updated to detect and clean this threat.

W32/Netsky.b@MM
Feb. 18, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4325 (released 2/18/2004)
Minimum VirusScan scan engine: 4240
For more information: http://vil.nai.com/vil/conten t/v_101034.htm
W32/Netsky.b@MM is a mass-mailing worm that is spread via email and by copying itself to folders named share or sharing on the local system and mapped network drives. This results in virus propagation via KaZaa, Bearshare, Limewire, and othe r P2P applications that use shared folders named share or sharing. It also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses. The outgoing messages have attachment filenames with a double extension, such as .rtf.pif, and may be contai ned in a .ZIP file.

The email has the following characteristics:
From: (spoofed or forged address taken from infected system) or skynet@skynet.de
Subject: (one of following)
fake
for
hello
hi
immediately
information
it
read
something
stolen
unknown
warning
you

Body: (one of following)
about me
anything ok?
do you? that's funny
from the chatter
greetings
here
here is the document.
here it is
here, the cheats
here, the introduction
here, the serials
i found this document about you
I have your password!
i hope it is not true!
i wait for a reply!
i'm waiting ok
information about you
is that from you?
is that true?
is that your account?
is that your name?
kill the writer of this document!
my hero
read it immediately!
read the details.
reply
see you
something about you!
something is fool
something is going wrong
something is going wrong!
take it easy
that is bad
thats wrong why?
what does it mean?
yes, really?
you are a bad writer
you are bad
you earn money
you feel the same
you try to steal
your name is wrong

Attachment: (random filename with double extension or may be contained in a .ZIP file, size 22,016 bytes, one of following)
aboutyou
attachment
bill
concert
creditcard
details
dinner
disco
doc
document
final
found
friend
jokes
location
mail2
mails
me
message
misc
msg
nomoney
note
object
part2
party
posting
product
ps
ranking
release
shower
story
stuff
swimmingpool
talk
textfile
topseller
website

followed by .doc, .htm, .rtf, or .txt and ending with .com, .exe, .pif, and .scr.

The virus gathers email addresses from files on the infected computer with .adb, .asp, .dbx , .doc, .eml, .htm, .html, .msg, .oft, .php, .pl, .rtf, .sht, .tbb, .txt, .uin, .vbs, .wab extensions. It mails itself to harvested email addresses using its own S MTP engine to construct messages.

Upon execution, a fake error message (The file could not be opened!) may be displayed.

It copies itself to the default WINDOWS directory (c:\windows for Windows XP, c:\winnt for Windows NT/2000, c:\windows for Windows 95/98/ME) as SERVICES.EXE. Note: there is a legitimate Windows services.exe file in the WINDOWS SYSTEM directory.

It creates a registry key to load itself on startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "service" = C:\WINNT\services.exe -serv
The worm copies itself to the share or sharing folder on the local system and on mapped network drives using one of the following filenames:
angels.pif
cool screensaver.scr
dictionary.doc.exe
dolly_buster.jpg.pif
doom2.doc.pif
e.book.doc.exe
e-book.archive.doc.exe
eminem - lick my pussy.mp3.pif
hardcore porn.jpg.exe
how to hack.doc.exe
matrix.scr
max payne 2.crack.exe
nero.7.exe
office_crack.exe
photoshop 9 crack.exe
porno.scr
programming basics.doc.exe
rfc compilation.doc.exe
serial.txt.exe
sex sex sex sex.doc.exe
strippoker.exe
virii.scr
win longhorn.doc.exe
winxp_crack.exe

The worm also drops many .ZIP files containing the worm (22,016 bytes). The compressed file usually uses a filename with a double extension, such as .doc.pif, .rtf.com, .rtf.scr. These are the .ZIP filenames:
aboutyou.zip
attachment.zip
bill.zip
concert.zip
creditcard.zip
details.zip
dinner.zip
disco.zip
final.zip
found.zip
friend.zip
jokes.zip
location.zip
mail2.zip
mails.zip
me.zip
message.zip
misc.zip
msg.zip
nomoney.zip
note.zip
object.zip ,br>
part2.zip
party.zip
posting.zip
product.zip
ps.zip
ranking.zip
release.zip
shower.zip
story.zip
stuff.zip
swimmingpool.zip
talk.zip
textfile.zip
topseller.zip
website.zip

The worm also removes registry keys associated with W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

If you are infected, please make sure you have the McAfee DAT file 4325 (released on Feb. 18, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm. The stand-alone Stinger removal tool (v.2.0.2, 2/18/04) has been updated to detect and clean this threat.

W32/Bagle.b@MM
Feb. 17, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4324 (released 2/17/2004)
Minimum VirusScan scan engine: 4240
For more information: http://vil.nai.com/vil/conten t/v_101030.htm
The ITS mail server (mail.hawaii.edu) is scanning for this threat. W32/Bagle.b@MM is a mass-mailing worm that is from a spoofed address. It listens on TCP port 8866 for remote connections. The outgoing messages have random attachment names with .EXE file extension (11,264 bytes). If the system date is Feb. 25, 2004 or later, the virus does not propagate.

The email has the following characteristics:

From: (address is spoofed)
Subject: ID (random string)... thanks
Body:
Yours ID (random string2)
--
Thank
Attachment: (random filename with .EXE extension, size 11,264 bytes)

The virus gathers email addresses from files on the infected computer with .wab, .txt, .htm, and .html extensions. It mails itself to harvested email addresses using its own SMTP engine. However, it doesn't mass-mail itself to addresses that include @hotm ail.com, @msn.com, @microsoft, and @avp.

The virus listens to TCP port 8866 for remote connections. This use of this backdoor is being investigated by NAI.

A notification is sent to the author via HTTP. A GET request with port number and "id" is sent to a PHP script on remote servers. Block access to the following domains:
http://www.47df.de
http://www.strato.de
http://intern.games-ring.de

When the attachment is run and the system date is Feb. 25, 2004 or later, the virus exits and doesn't propagate.

If the system date is before Feb. 25, 2004, the virus runs the standard Windows Sound Recorder program (SNDREC32.EXE). The virus uses the same icon as the Windows Sound Recorder.

It also copies itself to the Windows System directory (c:\windows\system32 for Windows XP, c:\winnt\system32 for Windows NT/2000, c:\windows\system for Windows 95/98/ME) as au.exe.

It creates a registry key to load itself on startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "au.exe" = C:\WINNT\System32\au.exe

It creates two additional registry keys:

HKEY_CURRENT_USER\Software\Windows2000 "frn"
HKEY_CURRENT_USER\Software\Windows2000 "gid"

If you are infected, please make sure you have the McAfee DAT file 4324 (released on Feb. 17, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm. The stand-alone Stinger removal tool (v.2.0.1, 2/17/04) has been updated to detect and clean this threat.

W32/Mimail.s@MM
Jan. 29, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP
Risk Assessment: Medium
Minimum VirusScan DAT: 4321 (released 1/29/04)
Minimum VirusScan scan engine: 4240
For more information: http://vil.nai.com/vil/content/v_100989.htm

Please update your McAfee DAT to 4321 as soon as possible.

W32/Mimail.s@MM is a mass-mailing worm that attempts to steal credit card information by displaying a fake message that your Microsoft Windows license has expired.

The worm harvests email addresses by appending .org, .net or .com to strings from files on an infected computer. The harvested email addresses are saved in c:\windows\outlook.cfg. The worm has its own SMTP engine to construct email messages with varying subject lines, message bodies and attachment names.

For example,
Subject: here is the file you asked for
Body: Hi! Here is the file you asked for!
Attachment: document.txt.scr

Possible attachment file extensions include:
.pif
.scr
.exe
.jpg.pif
.jpg.scr
.jpg.exe
.gif.pif
.gif.scr
.gif.exe

When the attachment is run, a fake error message is displayed.

The worm checks if a credit card is entered and displays an error message if a dummy number is entered.

Stolen credit card numbers are sent to email addresses found in the worm's body in the mail15.com and ziplip.com domains. The stolen information is saved in c:\xx.

When the attachment is opened, the worm copies itself to c:\Windows\rabbit.exe and c:\Windows\x (worm body).

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "RabbitWannaHome" = %WinDir%\rabbit.exe

If you are infected, please make sure you have the McAfee DAT file 4321 (released on Jan. 29, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm.

W32/Mydoom@MM
(alias W32.Novarg.A@MM, Novarg, Win32/Shimg)
Jan. 26, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: High Outbreak
Minimum VirusScan DAT: 4319 (released 1/26/04 6:35 pm HST)
Minimum VirusScan scan engine: 4240
For more information: http://vil.nai.com/vil/content/v_100983.htm

Please update your McAfee DAT to 4319 as soon as possible. The date of the virus definition will appear as Jan. 27, 2004 in VirusScan.

NAI has updated the Stinger removal tool (v1.9.7, 1/26/04) to detect and repair W32/Mydoom@MM. You must reboot after running Stinger to complete the repair. Note: Windows ME/XP users need to disable system restore before running Stinger.

This mass-mailing and peer-to-peer file-sharing worm arrives in email with the following characteristics:

From: (spoofed)
Subject: (Random) possible subject lines:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Body: (Varies, such as)

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The message contains Unicode characters and has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)

The icon for the attachment makes it appear to be a text file. Attachment file names are common names but may be random. Examples include:
document.scr
doc.bat
document.zip
message.zip
readme.zip
text.pif
hello.cmd
body.scr
test.htm.pif
data.txt.exe
file.scr

When the attachment is opened, Notepad opens filled with garbage characters. It copies itself to the local system with filenames:

c:\Program Files\KaZaa\My Shared Folder\activation_crack.scr

%SysDir%\taskmon.exe

where %SysDir% is the Windows System directory.

It creates the file shimgapi.dll (4,096 bytes) in the Windows System directory. This DLL is injected into EXPLORER.EXE upon reboot via registry key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\shimgapi.dll

It creates the registry entry to hook Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe

The worm opens a connection on TCP port 3127 suggesting remote control. On the first system startup after Feb. 2, 2004, the worm changes its behavior to start a denial of service (DoS) attack against the sco.com domain. The DoS attack will stop on Feb. 12 , 2004.

The worm copies itself in the KaZaa Shared Directory with filenames such as:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004

with file extensions .pif, .scr, or .bat.

The worm harvests email addresses from the local system from files with the following extensions:
wab
adb
tbb
dbx
asp
php
sht
htm
txt

If you are infected, please make sure you have the McAfee DAT file 4319 (released on Jan. 27, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm.

W32/Dumaru.y@MM
Jan. 26, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP
Risk Assessment: Medium
Minimum VirusScan DAT: 4318 (released 1/26/2004)
Minimum VirusScan scan engine: 4240
For more information: http://vil.nai.com/vil/content/v_100980.htm
The ITS mail server (mail.hawaii.edu) is scanning for this threat. W32/Dumaru.y@MM is a mass-mailing worm that steals data and allows a remote hacker to run commands on your computer, listening on TCP ports 2283 and 10000. The worm captures keystrokes dur ing web browser sessions, targetting online banking essions.

The email has the following characteristics:

From: "Elene" (F (removed) ENSUICIDE@HOTMAIL.COM) (profanity removed)
Subject: Important information for you. Read it immediately !
Body: Here is my photo, that you asked for yesterday.
Attachment: myphoto.zip

The attachment expands to myphoto.jpg (many spaces).exe.

The worm gathers email addresses from files on the infected computer with .htm, .wab, .html, .dbx, .tbb, and .abd extensions. It mails itself to harvested email addresses using its own SMTP engine.

When executed, the worm also copies itself on the infected computer:

%WinDir%\RUNDLLX.SYS

%SysDir%\L32X.EXE

%SysDir%\VXD32V.EXE

where %WinDir% is the Windows directory (e.g. C:\WinNT) and %SysDir% is the Windows System directory (c:\windows\system32 for Windows XP, c:\winnt\system32 for Windows NT/2000, c:\windows\system for Windows 95/98/ME).

It creates a registry key:

HKEY_LOCAL_MaACHINE\Software\SARS

If you are infected, please make sure you have the McAfee DAT file 4318 (released on Jan. 26, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm.

W32/Bagle@MM
Jan. 19, 2004

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4316 (released 1/18/2004)
Minimum VirusScan scan engine: 4240
For more information: http://vil.nai.com/vil/conten t/v_100965.htm
The ITS mail server (mail.hawaii.edu) is scanning for this threat. W32/Bagle@MM is a mass-mailing worm that pretends to be a test message and is from a spoofed address. It listens on TCP port 6777 for remote connections. The outgoing messages have random attachment names. If the system date is Jan. 28, 2004 or later, the virus does not propagate.

The email has the following characteristics:

From: (address may be forged)
Subject:Hi
Body:
Test =)
(random characters)
--
Test, yep.
Attachment: (random filename, size 15,872 bytes)

The virus gathers email addresses from files on the infected computer with .wab, .txt, .htm, and .html extensions. It mails itself to harvested email addresses using its own SMTP engine. However, it doesn't mass-mail itself to addresses that include @hotmail.com, @msn.com, @microsoft, and @avp.

The virus listens to TCP port 6777 that allows a remote attacker to execute commands on the local system, download executables to the local system, and terminate and delete the worm program.

When the attachment is run and the system date is Jan. 28, 2004 or later, the virus exits and doesn't propagate. If the system date is before Jan. 28, 2004, the virus runs the standard Windows calculator program (calc.exe). It also copies itself to the Windows System directory (c:\windows\system32 for Windows XP, c:\winnt\system32 for Windows NT/2000, c:\windows\system for Windows 95/98/ME) as bbeagle.exe.

It creates a registry key to load itself on startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "d3dupdate.exe" = C:\WINNT\System32\bbeagle.exe

It creates two additional registry keys:

HKEY_CURRENT_USER\Software\Windows98 "frun"
HKEY_CURRENT_USER\Software\Windows98 "uid"

If you are infected, please make sure you have the McAfee DAT file 4316 (released on Jan. 18, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm. The stand-alone Stinger removal tool has been updated to detect and clean this threat.

W32/Sober.c@MM
Dec. 22, 2003

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4310 (released 12/21/2003)
Minimum VirusScan scan engine: 4240
For more information: http://vil.nai.com/vil/conten t/v_100912.htm
Network Associates has raised the alert level of W32/Sober.c@MM to MEDIUM risk due to increased prevalence. Please update your DAT file to 4310 (released 12/21/03) as soon as possible. The ITS mail server (mail.hawaii.edu) is scanning for this threat.

W32/Sober.c@MM is a mass-mailing worm written in Visual Basic. The outgoing messages have varying subject lines, message bodies and attachment names (in either English or German). There are two worm processes running on the infected computer to ensure tha t the worm stays memory resident.

Summary of the worm:

contains its own SMTP engine for constructing messages
target email addresses are harvested from the infected computer
the worm may have garbage at the end of the file (its file size may be larger than 74,223 bytes)

The email has the following characteristics:

Subject: (possible subject lines)

Betr: Klassentreffen
Testen Sie ihren IQ
Bankverbindungs- Daten
Neuer Dialer Patch!
Ermittlungsverfahren wurde eingeleitet
Ihre IP wurde geloggt
Sie sind ein Raubkopierer
Sie tauschen illegal Dateien aus
Ich hasse dich
Ich zeige sie an!
Sie Drohen mir
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing ...
Attachment: (possible filenames)

www.iq4you-german-test.com
www.freewantiv.com
www.free4manga.com
www.free4share4you.com
www.tagespolitik-umfragen.com
www.onlinegamerspro-worm.com
www.freegames4you-gzone.com
www.boards4all-terror432.com
www.anime4allfree.com
www.animepage43252.com
yourmail
alledigis
aktenz
Attachments may end with a .com, .bat, .cmd, .pif, .scr, .exe or .com extension, and may be preceeded with a .txt or .doc, and/or a random number.

When the attachment is run, a fake error message is displayed. For example:

The worm installs itself into the default Windows System directory %SysDir% (c:\windows\system32 or c:\winnt\system32) as SYSHOSTX.EXE. Two other copies of the worm are dropped into %SysDir%, with varying filenames. For example:

%SysDir%\ONDMONSTR.EXE

%SysDir%\DATMSCRYPT.EXE

These two files are responsible for monitoring and maintaining that the worm stays memory resident. Upon termination of one worm process, another copy is quickly restarted.

It modifies the registry so the worm is run on system startup, where "string" varies between infections.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "(string)" = %SysDir%\ONDMONSTR.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "(string)" = %SysDir%\ONDMONSTR.EXE

If you are infected, please make sure you have the McAfee DAT file 4310 (released on Dec. 21, 2003) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm.

W32/Mimail.i@MM
November 14, 2003

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4304 (released 11/14/2003)
Minimum VirusScan scan engine: 4240
For more information: http://vil.nai.com/vil/conten t/v_100822.htm
Network Associates has raised the alert level of W32/Mimail.i@MM to MEDIUM risk due to increased prevalence. Please update your DAT file to 4304 (released 11/14/03) as soon as possible.

W32/Mimail.i@MM is a mass-mailing worm which attempts to steal credit card information by displaying a fake PayPal message, announcing the expiration of your PayPal account. It spreads with attachment www.paypal.com.scr or paypal.asp.scr.

Summary of the worm:

contains its own SMTP engine for constructing messages
mails itself as www.paypal.com.scr or paypal.asp.scr attachment
uses email addresses harvested from the local computer

The email has the following characteristics:

When the attachment is run, the following window is displayed:

The worm installs itself into the default Windows directory %WinDir% as SVCHOST32.EXE (12,832 bytes). The worm creates the following files:

c:\pp.gif (paypal icon)

c:\pp.hta (graphical interface)

c:\ppinfo.sys (your credit card details)

%WinDir%\ee98af.tmp (copy of the worm)

%WinDir%\el388.tmp (harvested email addresses)

%WINDIR%\svchost32.exe (copy of the worm)

%WinDir%\zp3891.tmp

It modifies the registry so the worm is run on system startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "SvcHost32" = %WinDir%\svchost32.exe

If you are infected, please make sure you have the McAfee DAT file 4304 (released on Nov. 14, 2003) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm.

W32/Mimail.c@MM
October 31, 2003

Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4301 (released 10/31/2003)
Minimum VirusScan scan engine: 4160
For more information: http://vil.nai.com/vil/conten t/v_100795.htm
Network Associates has raised the alert level of W32/Mimail.c@MM to MEDIUM risk due to increased prevalence. Please update your DAT file to 4301 as soon as possible.

The worm was initially "seeded" by mass-spamming with attachment undelivered.hta which creates the file c:\mware.exe. This executable is the worm, W32/Mimail.c@MM. When the .hta file is run, the following message is displayed:

Your message will be sent again in 1 hour. If it doesn't arrive - we will delete it from the queue.
W32/Mimail.c@MM is a mass-mailing worm which spreads with attachment PHOTOS.ZIP (contains PHOTOS.JPG.EXE) and can cause a denial of service attack.

Summary of the worm:

contains its own SMTP engine for constructing messages
mails itself as PHOTOS.ZIP attachment
uses email addresses harvested from the local computer
sends large amounts of data (garbage) to remote servers (port 80 and ICMP)

The email has the following characteristics:

The worm installs itself into the default Windows directory %WinDir% as NETWATCH.EXE (12,832 bytes). Three other files are dropped into the default Windows directory:

%WinDir%\EMP.TMP - list of email addresses harvested from the victim's computer

%WinDir%\EXE.TMP - copy of the worm

%WinDir%\ZIP.TMP - a ZIP archive containing the worm

It modifies the registry so the worm is run on system startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "NetWatch32" = C:\WINNT\NETWATCH.EXE

If you are infected, please make sure you have the McAfee DAT file 4301 (released on October 31, 2003) and a scan engine of 4.2.60. You may run a scan on all files to detect and clean up this worm.

If you need assistance, please call the ITS Help Desk (808) 956-8883 or toll-free from neighbor islands (800) 558-2669.

W32/Swen@MM
September 18, 2003

Platform: Windows 9x/ME/Windows NT/2000/XP
Risk Assessment: Medium (for Home Users)
Minimum VirusScan DAT: 4294 (released 9/18/2003)
Minimum VirusScan scan engine: 4160
For more information: http://vil.nai.com/vil/conten t/v_100662.htm

Network Associates has raised the alert level of W32/Swen@MM to MEDIUM risk for Home Users due to increased prevalence of this worm.

In some cases, it pretends to be a Microsoft Security Update. It can also impersonate mail delivery failure notices and attaches itself as a randomly named executable.

It terminates various processes including Regedit, ZoneAlarm, BlackIce, VirusScan, Norton Antivirus, F-Prot, Esafe, and others. It spreads via various mechanisms including:

mailing itself to email addresses extracted from files on the victim computer
copying itself over network shares (mapped drives)
sharing itself over the KaZaa P2P network
sending itself via IRC
The virus contains its own SMTP engine to construct outgoing email messages. Multiple subject lines and attachment names are constructed from strings within the worm to be used in outgoing messages. Target email addresses are extracted from files on the victim computer.
Sample of the email pretending to be a Microsoft Security Update

The worm copies itself to the startup folder on mapped network drives using a random filename.

The worm drops a SCRIPT.INI file (123 bytes) into the mIRC program folder to propagate via IRC (using dcc send).

The worm copies itself in a directory (random name) within the system temp directory, using suggestive names such as
SIRCAM CLEANER.EXE
YAHOO HACKER.EXE
HALLUCINOGENIC SCREENSAVER.EXE
etc

Symptoms
Display of fake message boxes to install Microsoft Security Update
Unexpected termination of anti-virus or security programs
Inability to run RegEdit on the victim computer

Various registry keys are modified to hook the execution of .BAT, .COM, .EXE, .PIF, .REG, and .SCR files.

If you are infected, please make sure you have the McAfee DAT file 4294 (released on September 18, 2003) and a scan engine of 4.2.60. You may run a scan on all files to detect and clean up this worm.

If you need assistance, please call the ITS Help Desk (808) 956-8883 or toll-free from neighbor islands (800) 558-2669.

W32/Dumaru.a@MM
August 28, 2003

Platform: Windows 9x/ME/Windows NT/2000/XP
Risk Assessment: Medium
Minimum VirusScan DAT: 4290 (released 8/28/2003)
Minimum VirusScan scan engine: 4140
For more information: http://vil.nai.com/vil/conten t/v_100560.htm

Network Associates has raised the alert level of W32/Dumaru.a@MM from low to medium risk. W32/Dumaru.a@MM is a mass mailing worm, with its own SMTP engine, that will send email to addresses found in the following files on the infected computers hard drive :

.htm
.wab
.html
.dbx
.tbb
.abd
The email message will look like it is from Microsoft Security ("Microsoft" security@microsoft.com) and it will have an attachment called patch.exe. The patch.exe file carries the worm. If you receive a message with Microsoft security and a patch.exe, ple ase DELETE it immediately. Microsoft does not email any of their security patches to customers (http://www.microsoft.com/technet/treeview/default.asp?u rl=/technet/security/policy/swdist.asp).
Sample of the email

This worm might have a password stealer within it. If it does, McAfee VirusScan will detect the password stealer as PWS-Narod. It will also infect exe files on NTFS volumes using streams.

How to Clean
To remove this virus "by hand", follow these steps:

Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode
WinNT/2K/XP - Terminate the processes: LOAD32.EXE VXDMGR32.EXE DLLREG.EXE
Delete the following files:

%WinDir%\DLLREG.EXE
%SysDir%\LOAD32.EXE
%SysDir%\VXDMGR32.EXE

Note:
%WINDIR% is the c:\windows or c:\winnt
%SYSDIR% is c:\windows\system or c:\winnt\system

Edit the registry

Delete the "Load32" value from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run
Edit the "Run" value in the following key from "C:\WINDOWS\DLLREG.EXE" to "": HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
Edit the "Shell" value in the following key from "explorer.exe %sysdir%\vxdmgr32.exe" to "explorer.exe": HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Additionl windows ME and XP removal considerations: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

If you are infected, please make sure you have the McAfee DAT file 4290 (released on August 28, 2003) and a scan engine of 4.2.60. You may run a scan on all files to detect and clean up this worm.

If you need assistance, please call the ITS Help Desk (808) 956-8883 or toll-free from neighbor islands (800) 558-2669.

W32/Sobig.f@MM
August 19, 2003

Platform: Windows NT/2000/XP
Risk Assessment: Medium
Minimum VirusScan DAT: 4287 (released 8/19/2003)
Minimum VirusScan scan engine: 4160
For more information: http://vil.nai.com/vil/content/v_100561.htm

There is a new variant of the W32/Sobig virus. Like the other variants, it spreads via mass mailing (uses its own SMTP engine) and over network shares (not confirmed in testing by NAI yet). The worm has garbage data appended at the end of the file so exact filesize may vary.

The standalone NAI Stinger tool has been updated to detect and remove this threat.

The worm copies itself on the victim machine as C:\WINNT\WINPPR32.EXE. It drops a configuration file in the default Windows directory as C:\WINNT\WINSTT32.DAT.

The following registry keys are added to hook the system on startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = C:\WNNT\WINPPR32.exe /sinc

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = C:\WNNT\WINPPR32.exe /sinc

Target email addresses are harvested from files on the infected computer with the following extensions:

DBX
HLP
MHT
WAB
EML
TXT
HTM
HTML

The worm may arrive in email with the following characteristics:

From: (the from: address may be spoofed or forged with an email address found on the victim's machine)
Subject:
Your details
Thank you!
Re: Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif

The worm attempts to send NTP packets to remote NTP servers using destination port 123.

W32/Nachi.worm
August 18, 2003

Platform: Windows NT/2000/XP/Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4286 (released 8/18/2003)
Minimum VirusScan scan engine: 4160
For more information: http://vil.nai.com/vil/content/v_100559.htm

The worm exploits the MS03-026 RPC buffer overflow vulnerability and is not related to the W32/Lovsan.worm.d (aka Blaster worm). It creates high ICMP traffic on the network.

The worm spreads by scanning the local subnet on port 135 for target Windows machines with the MS03-026 vulnerability. It pings potential victim machines, and upon reply, sends the exploit data. A remote shell is created on the target machine on TCP port 707. Victim machines are instructed to download the worm via TFTP. Once running, the worm terminates and deletes the W32/Lovsan.worm.a process and applies the Microsoft patch to prevent other threats from infecting the system through the same hole.

A mutex named RpcPatch_Mutex is created to ensure that only one instance of the worm is on the victim machine.

The worm installs itself in the WINS directory in the Windows System directory:

C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE (10,240 bytes)

Note: there is a legitimate file named DLLHOST.EXE but it is approximately 5-6 KB.

The worm attempts to copy the TFTPD.EXE file from dllcache on the victim computer to the WINS directory and renames it to SVCHOST.EXE.

The following servicees are installed:
RpcPatch runs the installed copy of the worm (DLLHOST.EXE)
Display name "WINS Client"
RpcTftpd runs the copy of the TFTPD application (SVCHOST.EXE)
Display name "Network Connections Sharing"

The worm attempts to download and install one of the patches for the MS03-026 vulnerability. When the system clock reaches Jan. 1, 2004, the worm will delete itself upon execution.

Unless the system is patched for the MS03-026 vulnerability, it is susceptible to the buffer overflow attack from an infected machine. When packets are sent to the RPC service on port 135, unpatched systems will get a buffer overflow and crash. The worm does not have to be on the unpatched system.

Once the system is patched, it is important that the system is rebooted.

W32/Lovsan.worm (aka Blaster worm)
August 11, 2003
Last Revised: August 13, 2003 at 2:38 pm

Platform: Windows NT/2000/XP/2003 Server
Risk Assessment: Medium
Minimum VirusScan DAT: 4285 (released 8/13/2003)
Minimum VirusScan scan engine: 4160
For more information: http://vil.nai.com/vil/content/v_100547.htm

The worm is looking for victims by scanning the network for Windows computers that do not have the MS03-026 Microsoft security patch. The infected computer will have an open port on TCP 4444 and TFTP running. The worm will download itself into the %windir%\system32. The file name is msblast.exe. Once the msblast file is executed, the worm installs a registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
The infected computer will display error messages about the RPC service failing and computer will reboot.

Remedy
If you are infected already, you should unplug your network cable from the back of the computer then restart the computer with the network cable disconnected. (This should stop the rebooting.) You should download the stinger program from a clean computer (a computer that was not infected with the blaster worm). There is a NAI stinger program that will detect and attempt to remove the worm. You may download the file NAI Stinger. Please read the instructions before using this tool! After you have removed the worm, you need to apply the Microsoft patch MS03-026 and other patches from Windows Update. Once the Microsoft patch is installed, start your antivirus software and check the version. Please make sure that the version is the most current.

Update to Remedy (8/11/2003 3:30pm)
If you are not infected, please update your McAfee VirusScan today. There is an new DAT and SuperDAT file. Please download the new file Latest DAT and SuperDAT File or run the autoupdate on your McAfee VirusScan Console.

Update (8/13/2003):

Please download and use the DAT/SuperDAT file 4285 released 8/13/2003 instead of the Extra DAT.

There are reports that the worm has 2 new versions - Lovsan.b and Lovsan.c.
Lovsan.b version
The Lovsan.b will install a backdoor component that will allow an intruder to remotely control an infected computer. To indentify Lovsan.b, you should see 2 files in the %windir%\system32 - root32.exe (backdoor) and teekids.exe (worm).
Clean-up recommendations for Lovsan.b is to re-install the computer system. Please make sure that you have a backup of the computer system before this is done.

Lovsan.c version
The Lovsan.c does the same thing as the original Lovsan worm. The difference is that the blast32.exe file is called penis32.exe and it is stored in the %windir%\system32 directory. There are no reports of backdoors for this version at this time.
Clean-up recommendations for Lovsan.c is to use the NAI Stinger tool. The NAI Stinger tool will remove the registry edits but you will have to manually remove the penis32.exe file from the %windir%/system32 directory.

Please note: %windir% is the directory in which your Windows system files are stored. The most common places are windows and winnt (ie c:\windows\system32).

If you need further assistance, please call the ITS Help Desk at 956-8883 or Toll-free from neighbor islands (800) 558-2669.

W32/Mimail@MM
August 2, 2003

Platform: Windows 95/98/ME/NT/2000/XP
Risk Assessment: Medium
Minimum VirusScan DAT: 4282 (released 8/1/03)
Minimum VirusScan scan engine: 4160
For more information: http://vil.nai.com/vil/content/v_100523.htm

There have been many reports of this virus in the wild. Please update your DAT to 4282 as soon as possible. The Stinger removal tool has been updated to detect and remove this threat.

This worm exploits known security vulnerabilities for which Microsoft released patches some months ago. It uses the codebase (MS02-015) and MHTML exploits (MS03-014). Please patch your systems for these vulnerabilities, if you have not already done so.

The mass mailing worm arrives in an email message with the following format:

From: Admin@current_domain (from: address may be spoofed to appear that it is coming from the current domain)
Subject: your account (variable string)
Body:

Hello there,

I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.

--- Best regards, Administrator

Attachment: message.zip

The attached .zip file contains a file named MESSAGE.HTM. The file automatically creates the file, foo.exe, in the Temporary Internet Files folder and runs it.

Note: The MS03-014 patch must be applied to prevent the automatic execution of the executable when accessing the MESSAGE.HTM file.

When run, the following files are created in the default WINDOWS %WINDIR% directory:
videodrv.exe (19,824 bytes)
exe.tmp (20,445 bytes)
zip.tmp (20,567 bytes)

The virus creates the following registry key to load itself on Windows Startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "VideoDriver" = C:\WINNT\videodrv.exe

The virus checks to see if the system is connected to the Internet by trying to contact google.com. If successful, it attempts to harvest email addresses from files on the local system and sends itself to those addresses. The mailing routine tries to quer y the mail server for the domain related to the harvested addresses. Messages are sent through that SMTP server. The local files with the following extensions are excluded from email address harvesting attempts:
AVI
BMP
CAB
COM
DLL
EXE
GIF
JPG
MP3
MPG
OCX
PDF
PSD
RAR
TIF
VXD
WAV
ZIP

The harvested addresses are stored in the eml.tmp file in the WINDOWS directory.

An additional registry key is created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Code Store Database\Distribution Units\
{11111111-1111-1111-1111-111111111111}

W32/Colevo@MM
July 1, 2003

Platform: Windows 95/98/ME/NT/2000/XP
Risk Assessment: Medium
Minimum VirusScan DAT: 4274 (released 6/30/03)
Minimum VirusScan scan engine: 4160
For more information: http://vil.nai.com/vil/content/v_100450.htm

NAI raised the risk level of this threat to Medium for Home users only.

The virus arrives in an email message and uses an icon almost identical to the icon associated with folders in Windows. This mass-mailing worm gathers MSN Messenger contact addresses. It launches Internet Explorer and connects to various news websites, displaying images of Bolivian Aymara Indian leader Evo Morales.

The e-mail arrives with the following format:

Subject: El adelanto de matrix ta gueno!!
Body: Pablo_Hack
Oye te U paso el programa para entrar a cuentas del messenger, y facilingo te lo paso a voz nomas, prometerr que no se lo pasas a nadie, ya? Respondeme que tal te parecio. chau!!

Attachment: hotmailpass.exe

The virus has a backdoor component. It leaves several TCP ports (1168, 1169, 1170 and 2536) open, allowing the hacker to control the infected computer remotely.

When run, it copies itself to the default Windows directory %WINDIR% with the following filenames:
All Users.exe
command.exe
Hot Girl.scr
hotmailpass.exe
Inf.exe
Internet Download.exe
Internet File.exe
Part Hard Disk.exe
Shell.exe
system.exe
system32.exe
system64.pif
Temp.exe
(where %WINDIR% is C:\WINDOWS or C:\WINNT)

It copies itself to the %SYSDIR% directory with the following filenames:
Inf.exe
net.com
www.microsoft.com
(where %SYSDIR% is C:\WINDOWS\SYSTEM32 or C:\WINNT\SYSTEM32)

The virus creates the following registry keys to load itself on Windows Startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "System"=%WINDIR%\system.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\1\2\3\4 "System"=%WinDir%\system.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices "System"=%WINDIR%\system.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServicesOnce "System"=%WinDir%\temp.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "System"=%WINDIR%\system.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\1\2\3\4 "System"=%WinDir%\temp.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices "System"=%WINDIR%\commands.com

The virus also modifies the following registry keys so that the worm is executed every time an associated file extension runs.
HKEY_CLASSES_ROOT\exefile "NeverShowExt"=
(hides the file extension of executables)
HKEY_CLASSES_ROOT\batfile\shell\open\command
"(Default)"="%WinDir%\temp.exe", "%1" %*
HKEY_CLASSES_ROOT\comfile\shell\open\command
"(Default)"="%WinDir%\command.exe", "%1" %*
HKEY_CLASSES_ROOT\exefile\shell\open\command
"(Default)"="%WinDir%\command.exe","%1" %*
HKEY_CLASSES_ROOT\htafile\Shell\Open\Command
"(Default)"="%WinDir%"\commands.com", "%1" %*
HKEY_CLASSES_ROOT\piffile\shell\open\command
"(Default)"="%WinDir%\commands.com","%1" %*

W32/Sobig.e@MM
June 26, 2003

Platform: Windows 95/98/ME/NT/2000/XP
Risk Assessment: Medium
Minimum VirusScan DAT: 4273 (released 6/25/03)
Minimum VirusScan scan engine: 4160
For more information: http://vil.nai.com/vil/content/v_100429.htm

NAI raised the risk level of this threat to Medium to due increased prevalence over the past few hours. The Stinger tool was updated to detect and remove W32/Sobig.e@MM.

The virus is a variant of W32/Sobig.d@MM. It propagates via email and over network shares. It has its own SMTP engine for constructing outgoing messages. The virus is sent in a ZIP archive. The outgoing messages may have a closing quote omitted from the attachment filename, which may cause some email clients to remove a character from the remaining filename. For example, attachments may have a ".ZI" extension, instead of ".ZIP".

Email addresses are extracted from files on the victim machine with the following extensions:
WAB
DBX
HTM
HTML
EML
TXT

The worm may arrive in email with the following characteristics:

From: (the from: address is spoofed or forged)
Body: Please see the attached zip file for details.
Attachment: (file extension may be truncated to .ZI) your_details.zip(which contains details.pif)

The worm tries to copy itself to the following network locations:
\Documents and Settings\All Users\Start Menu\Programs\Startup\
\Windows\All Users\Start Menu\Programs\Startup\

When the worm is executed, it drops the following files into the %windir% (default Windows) directory:
"winssk32.exe" (approx 85KB) (a copy of itself)
"msrrf.dat" (configuration file)

Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"SSK Service" = %WinDir%\winssk32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"SSK Service" = %WinDir%\winssk32.exe

W32/BugBear.b@MM
June 5, 2003

Platform: Windows 95/98/ME/NT/2000/XP
Risk Assessment: High
Minimum VirusScan DAT: 4270 (released 6/5/03)
Minimum VirusScan scan engine: 4160
For more information: http://vil.nai.com/vil/content/v_100358.htm

The BugBear worm is spreading rapidly throughout the Internet. There are two methods of infection: network shares and email attachments. For network shares, the worm copied itself to the Windows startup folder using a randomly picked name (example of the file name are: BSFS.EXE). The email attachments are disguised as files that the curious person would want to look at. In most cases, the attachment's file name matches the subject line. If you would like to see the most current list of subject lines, please visit the NAI site http://vil.nai.com/vil/content/v_100358.htm. BugBear.b installs a key logger which captures the keystrokes from the infected computer. In addition to the key logger, there is a remote access trojan which will allow the attacker to gain access to the infected computer. The trojan part of the worm opens up TCP port 1080 on the infected computer.
Symptoms

There are reports that infected computers will send print jobs to network printers. It is not clear on what those print jobs look like.

There are unknown EXE files in the Windows startup folder.

Other people reporting that they received an email with an attachment from you. Please note that if this happens to you. You should update your VirusScan to the specifications above and scan your computer with the all files option on. You might not be the one that was infected because the email could have been sent by any one who has your email address stored in a file on their computer.

The antivirus software (VirusScan) does not start up or will not start the updater function.

If you have software firewall such as Zone Alarm and it is not working properly, you might be infected.

Please read the full description of BugBear.b for the most current information about this worm and recommendations for clean-up.

W32/Sobig.c@MM
June 2, 2003

Platform: Windows 95/98/ME/NT/2000/XP
Risk Assessment: Medium
Minimum VirusScan DAT: 4268 (released 6/1/03)
Minimum VirusScan scan engine: 4160
For more information: http://vil.nai.com/vil/content/v_100343.htm

Due to increased prevalence, the risk assessment of this threat was upgraded to Medium.

A new variant of the W32/Sobig virus was discovered on May 31, 2003. This variant is detected as W32/Sobig.dam in the 4267 DAT (released 5/28/03). However, you will need the 4268 DAT (released 6/1/03) to detect and remove the new variant. This variant spoofs or forges the from: address. Therefore, the perceived sender is not likely the infected user.

This mass-mailing worm is very similar to http://vil.nai.com/vil/content/v_100307.htm. It propagates via email and over network shares. It has its own SMTP engine for constructing outgoing messages. The outgoing messages may have a closing quote omitted from the attachment filename, which may cause some email clients to remove a character from the remaining filename. For example, attachments may have a ".PI" extension, instead of ".PIF".

Email addresses are extracted from files on the victim machine with the following extensions:
WAB
DBX
HTM
HTML
EML
TXT

The worm may arrive in email with the following characteristics:

From: bill@microsoft.com (note: could be any email address)

Subject:
Approved
Re: 45443-343556
Re: Application
Re: Approved
Re: Movie
Re: Screensaver
Re: Submitted (004756-3463)
Re: Your application

Attachment: (file extension may be truncated to .PI)
45443.pif
application.pif
approved.pif
document.pif
documents.pif
movie.pif
screensaver.scr
submited.pif

Message Body: Please see the attached file.

The worm tries to copy itself to the following network locations if the paths are accessible:
\Documents and Settings\All Users\Start Menu\Programs\Startup\
\Windows\All Users\Start Menu\Programs\Startup\

When the worm is executed, it drops the following files into the %windir% (default Windows) directory:
"mscvb32.exe" (approx 50kB) (a copy of itself)
"msddr.dat" (configuration file)

Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"System MScvb" = %WinDir%\mscvb32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"System MScvb" = %WinDir%\mscvb32.exe

The worm checks the system date/time. If the date matches June 8, 2003 (or later), the worm no longer propagates. However, it installs itself on the target machines.

W32/Sobig.b@MM
(alias W32/Palyh@MM)
May 19, 2003
(revised May 22, 2003)

Platform: Windows 95/98/ME/NT/2000/XP
Risk Assessment: Medium
Minimum VirusScan DAT: 4265 (released 5/18/03)
Minimum VirusScan scan engine: 4160
For more information: http://vil.nai.com/vil/content/v_100307.htm

Starting from the 4266 DAT (released 5/21/03), NAI renamed this virus from W32/Palyh@MM to http://vil.nai.com/vil/content/v_100307.htm in order to correctly identify it as a new variant of W32/Sobig@MM.

This mass-mailing worm is very similar to http://vil.nai.com/vil/content/v_99950.htm. It propagates via email and over network shares. It has its own SMTP engine for constructing outgoing messages. The outgoing messages may have a closing quote omitted from the attachment filename, which may cause some email clients to remove a character from the remaining filename. For example, attachments may have a ".PI" extension, instead of ".PIF".

Email addresses are extracted from files on the victim machine with the following extensions:
WAB
DBX
HTM
HTML
EML
TXT

The worm may arrive in email with the following characteristics:

From: support@microsoft.com

Subject:
Re: My application
Re: Movie
Cool screensaver
Screensavers
Re: My details
Your password
Re: Approved (Ref: 3394-65467)
Approved (Ref: 38446-263)
Your details

Attachment: (file extension may be truncated to .PI)
approved.pif
ref-394755.pif
password.pif
ref-394755.pif
application.pif
screen_doc.pif
screen_temp.pif
movie28.pif
download1053122425102485703.uue
doc_details.pif
_approved.pif

Message Body: All information is in the attached file.

The worm tries to copy itself to the following network locations:
\Documents and Settings\All Users\Start Menu\Programs\Startup\
\Windows\All Users\Start Menu\Programs\Startup\

When the worm is executed, it drops the following files into the %windir% (default Windows) directory:
"msccn32.exe" (approx 50kB) (a copy of itself)
"hnks.ini" (configuration file)
"mdbrr.ini" (configuration file)

Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"System Tray" = %WinDir%\msccn32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"System Tray" = %WinDir%\msccn32.exe

The worm checks the system date/time. If the date matches May 31, 2003 (or later), the worm no longer propagates. However, it installs itself on the target machines.

W32/Fizzer@MM
May 12, 2003

Platform: Windows 95/98/ME/NT/2000/XP
Risk Assessment: Medium on Watch
Minimum VirusScan DAT: 4263 (released 5/12/03)
Minimum VirusScan scan engine: 4160 (to detect); 4240 (to remove)
For more information: http://vil.nai.com/vil/content/v_100295.htm

This mass-mailing worm has many components and an internal timer to trigger different processes at different times.

It spreads via KaZaa and email, by mass-mailing itself to addresses found in the Microsoft Outlook Contacts list, Windows Address Book (WAB), and on the local system, and randomly generated addresses, sometimes forging the sender address. The worm arrives as an email attachment (various file names with .com, .exe, .pif, .scr extensions) with various subject lines and body text. It has its own SMTP engine.

Other components of the worm include:
IRC (Internet Relay Chat) bot
- when it connects to an IRC server, it opens a channel and awaits instructions from the attacker
AIM (AOL Instant Messenger) bot
- it connects to an AIM chat server on port 5190 and listens for further instructions
Keylogger
- captures types keystrokes and stores them in iservc.klg (encrypted file in Windows directory)
KaZaa worm
- copies itself to the default KaZaa download directory using random file names
HTTP server
- runs HTTP server of port 81, displaying information on the infected system.
Remote access server
- listens on port 2018, 2019, 2020, and 2021
Self-updating mechanism
- connects to geocities user page to download updates
Anti-virus software termination

When the attachment is executed, the worm extracts several files to the Windows (%WinDir%) directory.
initbak.dat - copy of the worm
iservc.exe - copy of the worm
ProgOp.exe (15,360 bytes) - process handling
iservc.dll (7,680 bytes) - handles timing and Windows hooking/keylogging

It modifies the handling of .TXT files, such that accessing a .TXT file results in the worm being run.

On WinNT/2K/XP systems, the worm creates a service named S1TRACE.

W32/Lovgate@M
Feb. 24, 2003

Platform: Windows 95/98/ME/NT/2000/XP
Risk Assessment: Medium on Watch
Minimum VirusScan DAT: 4248 (released 2/19/03)
Minimum VirusScan scan engine: 4160
For more information: http://vil.nai.com/vil/content/v_100072.htm

NAI has received samples of another variant of this worm, 78,848 bytes in length. You will need DAT 4249 (released 2/24/03) to detect the variant, W32/Lovgat.c@M.

This mass-mailing worm spreads via email by auto-replying to all new messages found in the Outlook and Outlook Express inbox using its own SMTP engine. It also attaches itself as one of the files listed below and copies itself over network shares. It also drops a backdoor component, opening port 10168 on victim computers.

The worm auto-replies:

'I'll try to to reply as soon as possible.
Take a look at the attachment and send me your opinion!'

>Get your Free 'domain.com' account now! <

The worm propagates itself through open network shares, copying itself recursively to folders/subfolders, using the following filenames:
fun.exe
images.exe
news_doc.exe
s3msong.exe
pics.exe
billgt.exe
midsong.exe
PsPGame.exe
hamster.exe
setup.exe
tamagotxi.exe
joke.exe
docs.exe
searchurl.exe
card.exe
humor.exe

When executed, the worm copies itself to the %System% folder as:
WinGate.exe
rpcsrv.exe
syshelp.exe
winrpc.exe
WinRpcsrv.exe

The worm drops a trojan component in the %System% directory with the following names:
ily.dll
1.dll
reg.dll
task.dll

The backdoor trojan opens port 10168 on the computer and sends email notification to the hacker that the computer has been compromised. Information about the infected computer, including system password, is also sent to the hacker.

The following Registry keys are added to hook system startup:

     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
     "syshelp" = C:\Windows\System\syshelp.exe

     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
     "WinGate initialize" = C:\Windows\System\WinGate.exe -remoteshell

A system startup hook is also added for the backdoor component:

     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
     "Module Call initialize" = RUNDLL32.EXE reg.dll ondll_reg

The following Registry key is modified to hook the execution of text files:

     HKEY_CLASSES_ROOT\txtfile\shell\open\command
     (default) = "winrpc.exe %1"

When executed on Windows NT/2000, the worm installs itself as a service, with display name "Window Remote Service" (runs copy of worm with filename WINRPCSRV.EXE). One of the dropped backdoor components (TASK.DLL) also installs as two services with display names "dll_reg" and "Windows Management Extension".

W32/SQLSlammer.worm
Jan. 27, 2003

Platform: Windows NT/2000 Server running MS SQL Server 2000/MS Desktop Engine 2000
Risk Assessment: HIGH
Minimum VirusScan DAT: Stinger removal tool
Minimum VirusScan scan engine: N/A
For more information: http://vil.nai.com/vil/content/v_99992.htm

This threat has been rated HIGH only for unpatched systems (SQL servers not running SP3 for MS SQL/MSDE):
Microsoft SQL Server 2000
Microsoft Desktop Engine MSDE) 2000

For a complete list of patches that must be applied to SQL Servers that are not running SP3, go to Microsoft Technet. The worm uses a buffer overflow in "Server Resolution" service (see MS02-039)to gain control on a target server. SQL Servers running Service Pack 3 are not affected. Download SQL Server 2000 Service Pack 3.

This virus exists only in memory of unpatched Microsoft SQL servers. This worm does not exist as a file on your system. No INI or registry keys are created by this worm. Its only purpose is to spread from one system to another and it does not carry a destructive payload.

This worm causes increased traffic on UDP port 1434 and spreads between SQL servers. It causes heavy network traffic and can effect network performance on all systems on the network.

Removal Instructions
Block Incoming UDP port 1434 at your firewall (also turn off logging on that port)
Download and apply Service Pack 3 from Microsoft and restart the server.

This will clear the worm from memory and prevent reinfection. The corrected SSNETLIB.DDL will have version 2000.80.760.0 (right click on the DLL icon, select Properties, click Version tab.)

NAI has a new version of the Stinger removal tool that is designed to locate the worm in memory on infected SQL servers and shut down the SQL processes. Stinger must be run with Administrator privileges to shut down SQL Server. Stinger will not prevent future reinfections, unless you install Service Pack 3.

W32/Sobig@MM
Jan. 14, 2003

Platform: Windows 95/98/ME/NT/2000/XP
Risk Assessment: Medium
Minimum VirusScan DAT: 4242 (released 1/11/03)
Minimum VirusScan scan engine: 4160
For more information: http://vil.nai.com/vil/content/v_99950.htm

Jan. 11, 2003 - NAI has raised the risk level of this threat to Medium due to increasing prevalence. Please update your DAT file to 4242 as soon as possible.

This mass-mailing worm sends itself to all addresses it finds in files with extensions .wab, .dbx, .htm, .html, .eml, and .txt using its own SMTP engine. It also attempts to copy itself to open network shares:
\Windows\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup

The outgoing email messages are from "big@boss.com" with the following possible subject lines:
Re: Movies
Re: Sample
Re: Document
Re: Here is that sample

Attachments (65,536 bytes) have one of the following filenames:
Movie_0074.mpeg.pif
Document003.pif
Untitled1.pif
Sample.pif

The worm installs itself into the Windows directory as WINMGM32.EXE and adds two registry hooks to start the program on startup:

          HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
          "WindowsMGM" = C:\WINDOWS\winmgm32.exe

          HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion\Run
          "WindowsMGM" = C:\WINDOWS\winmgm32.exe

The worm may contain a multidropper package which drops a pornographic image (which is displayed) and the worm.

W32/Lirva.a@MM
Jan. 9, 2003

Platform: Windows 95/98/ME/NT/2000/XP
Risk Assessment: Medium
Minimum VirusScan DAT: 4241 (released 1/8/03)
Minimum VirusScan scan engine: 4160
For more information: http://vil.nai.com/vil/content/v_99949.htm

Jan. 9, 2003 - NAI has raised the risk level of this threat to Medium due to increasing prevalence. Please update your DAT file to 4241 (or higher) as soon as possible. Get the McAfee Livra Removal Tool (Stinger.exe v1.2 [625,152 bytes, 1/8/03]) if you have been infected with this virus.

This mass-mailing worm also attempts to spread via ICQ, IRC, and KaZaa. It contains a Password-Stealer payload. It tries to terminate anti-virus, firewall and security software and drops an IRC bot script.

The worm uses Outlook to gather email addresses in the "Sent Items" and "Inbox". It also queries the Windows Address Book and searches for addresses within files on the local disk with the following extensions:
.DBX
.EML
.HTM
.HTML
.IDX
.MBX
.NCH
.SHTML
.TBB
.WAB

Possible message subject lines include the following:
Fw: Avril Lavigne - the best
Fw: Prohibited customers...
Fwd: Re: Admission procedure
Fwd: Re: Reply on account for Incorrect MIME-header
Re: According to Daos Summit
Re: ACTR/ACCELS Transciptions
Re: Brigade Ocho Free membership
Re: Reply on account for IFRAME-Security breach
RE: Reply on account for IIS-Security
Re: The real estate plunger

The attachment is one of the following:
AvrilLavigne.exe
AvrilSmiles.exe
CERT-Vuln-Info.exe
Cogito_Ergo_Sum.exe
Complicated.exe
Download.exe
IAmWiThYoU.exe
MSO-Patch-0035.exe
MSO-Patch-0071.exe
Readme.exe
Resume.exe
Singles.exe
Sk8erBoi.exe
Sophos.exe
Transcripts.exe
Two-Up-Secretly.exe

The message body is variable and may contain one of the following:

Restricted area response team (RART)
___________________________________
Attachment you send to is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch.
___________________________________

or

Patch is also provided to subscribed list of Microsoft Tech Support: to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so and do not need to take additional action. Customers who have applied that patch are already protected against the vulnerability that is eliminated by a previously-released patch. Microsoft has identified a security vulnerability in Microsoft IIS 4.0 and 5.0.

or

Admission form attached below. Vote for I'm with you! FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Avril fans subscription

The worm attempts to terminate anti-virus, firewall, and security processes running in memory. It monitors the titlebar of all windows and closes them if they contain one of the following strings:
anti
Anti
AVP
McAfee
Norton
virus
Virus

The worm copies itselft into the %WinDIR%\SYSTEM32 directory using a randomly generated name, e.g. A33AAAAgbab.EXE. A key is added to the registry to execute the worm during system boot:

          HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Run "Avril Lavigne - Muse" =
          C:\WINDOWS\SYSTEM32\A33AAAAgbab.EXE (random name)

Another key is created and used as a marker that the system is infected:

          HKEY_LOCAL_MACHINE\Software\HKLM\Software\OvG\Avril Lavingne

It also copies itself using one of the filenames of the attachment mentioned in the email propagation to c:\ and %WINDIR%\TEMP.
The worm places four copies of itself using random names into the RECYCLED folder and adds a call to itself in AUTOEXEC.BAT.

The worm tries to receive cached passwords from the infected host and sends an email by using its own SMTP engine via an open SMTP server (62.118.249.10 port 25 tcp).

After the worm executes, it opens the default web browser to the Avril Lavigne web site (http://www.avril-lavigne.com) and draws colored geometric figures on the screen which are always "on top" of the desktop.

back to top